Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7laJ4zKd8O.exe

Overview

General Information

Sample name:7laJ4zKd8O.exe
renamed because original name is a hash value
Original sample name:1738a9a215f705403b1c4f67b8ad76bb636f28510ea619bff16836f1e85421ac.exe
Analysis ID:1575204
MD5:43bb1fbfd735df983c0dbb50eda6ffef
SHA1:1173e059d3c502019cfa7c719a34c99ed3bc32f1
SHA256:1738a9a215f705403b1c4f67b8ad76bb636f28510ea619bff16836f1e85421ac
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7laJ4zKd8O.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\7laJ4zKd8O.exe" MD5: 43BB1FBFD735DF983C0DBB50EDA6FFEF)
    • powershell.exe (PID: 3428 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 908 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7laJ4zKd8O.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2484 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1244 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 796 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • System User.exe (PID: 5336 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: 43BB1FBFD735DF983C0DBB50EDA6FFEF)
  • System User.exe (PID: 4088 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: 43BB1FBFD735DF983C0DBB50EDA6FFEF)
  • System User.exe (PID: 5856 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: 43BB1FBFD735DF983C0DBB50EDA6FFEF)
  • System User.exe (PID: 3180 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: 43BB1FBFD735DF983C0DBB50EDA6FFEF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["hope-asia.gl.at.ply.gg"], "Port": 35710, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
7laJ4zKd8O.exeJoeSecurity_XWormYara detected XWormJoe Security
    7laJ4zKd8O.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      7laJ4zKd8O.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xea6e:$s6: VirtualBox
      • 0xe9cc:$s8: Win32_ComputerSystem
      • 0x117d1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1186e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x11983:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x106ff:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\System User.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\System User.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\System User.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xea6e:$s6: VirtualBox
          • 0xe9cc:$s8: Win32_ComputerSystem
          • 0x117d1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x1186e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x11983:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x106ff:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1750635709.0000000000F02000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.1750635709.0000000000F02000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xe86e:$s6: VirtualBox
            • 0xe7cc:$s8: Win32_ComputerSystem
            • 0x115d1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x1166e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x11783:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x104ff:$cnc4: POST / HTTP/1.1
            00000000.00000002.3005446682.00000000031AC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.3005446682.000000000322D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000002.3005446682.0000000003161000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.7laJ4zKd8O.exe.f00000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    0.0.7laJ4zKd8O.exe.f00000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      0.0.7laJ4zKd8O.exe.f00000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0xea6e:$s6: VirtualBox
                      • 0xe9cc:$s8: Win32_ComputerSystem
                      • 0x117d1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0x1186e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0x11983:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0x106ff:$cnc4: POST / HTTP/1.1

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7laJ4zKd8O.exe", ParentImage: C:\Users\user\Desktop\7laJ4zKd8O.exe, ParentProcessId: 6640, ParentProcessName: 7laJ4zKd8O.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe', ProcessId: 3428, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7laJ4zKd8O.exe", ParentImage: C:\Users\user\Desktop\7laJ4zKd8O.exe, ParentProcessId: 6640, ParentProcessName: 7laJ4zKd8O.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe', ProcessId: 3428, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\System User.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\7laJ4zKd8O.exe, ProcessId: 6640, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System User
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7laJ4zKd8O.exe", ParentImage: C:\Users\user\Desktop\7laJ4zKd8O.exe, ParentProcessId: 6640, ParentProcessName: 7laJ4zKd8O.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe', ProcessId: 3428, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\7laJ4zKd8O.exe, ProcessId: 6640, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\7laJ4zKd8O.exe", ParentImage: C:\Users\user\Desktop\7laJ4zKd8O.exe, ParentProcessId: 6640, ParentProcessName: 7laJ4zKd8O.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", ProcessId: 796, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7laJ4zKd8O.exe", ParentImage: C:\Users\user\Desktop\7laJ4zKd8O.exe, ParentProcessId: 6640, ParentProcessName: 7laJ4zKd8O.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe', ProcessId: 3428, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-14T18:51:19.441769+010028528701Malware Command and Control Activity Detected147.185.221.1835710192.168.2.449765TCP
                      2024-12-14T18:51:26.990413+010028528701Malware Command and Control Activity Detected147.185.221.1835710192.168.2.449765TCP
                      2024-12-14T18:51:40.713387+010028528701Malware Command and Control Activity Detected147.185.221.1835710192.168.2.449765TCP
                      2024-12-14T18:51:49.441195+010028528701Malware Command and Control Activity Detected147.185.221.1835710192.168.2.449765TCP
                      2024-12-14T18:51:54.449133+010028528701Malware Command and Control Activity Detected147.185.221.1835710192.168.2.449765TCP
                      2024-12-14T18:52:08.174682+010028528701Malware Command and Control Activity Detected147.185.221.1835710192.168.2.449765TCP
                      2024-12-14T18:52:16.024135+010028528701Malware Command and Control Activity Detected147.185.221.1835710192.168.2.449765TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-14T18:51:26.992028+010028529231Malware Command and Control Activity Detected192.168.2.449765147.185.221.1835710TCP
                      2024-12-14T18:51:40.715272+010028529231Malware Command and Control Activity Detected192.168.2.449765147.185.221.1835710TCP
                      2024-12-14T18:51:54.450831+010028529231Malware Command and Control Activity Detected192.168.2.449765147.185.221.1835710TCP
                      2024-12-14T18:52:08.177238+010028529231Malware Command and Control Activity Detected192.168.2.449765147.185.221.1835710TCP
                      2024-12-14T18:52:16.024962+010028529231Malware Command and Control Activity Detected192.168.2.449765147.185.221.1835710TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-14T18:51:19.441769+010028528741Malware Command and Control Activity Detected147.185.221.1835710192.168.2.449765TCP
                      2024-12-14T18:51:49.441195+010028528741Malware Command and Control Activity Detected147.185.221.1835710192.168.2.449765TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-14T18:51:26.481046+010028559241Malware Command and Control Activity Detected192.168.2.449765147.185.221.1835710TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 7laJ4zKd8O.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: hope-asia.gl.at.ply.ggAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\System User.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: 7laJ4zKd8O.exeMalware Configuration Extractor: Xworm {"C2 url": ["hope-asia.gl.at.ply.gg"], "Port": 35710, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\System User.exeReversingLabs: Detection: 76%
                      Multi AV Scanner detection for submitted file
                      Source: 7laJ4zKd8O.exeReversingLabs: Detection: 76%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\System User.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: 7laJ4zKd8O.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 7laJ4zKd8O.exeString decryptor: hope-asia.gl.at.ply.gg
                      Source: 7laJ4zKd8O.exeString decryptor: 35710
                      Source: 7laJ4zKd8O.exeString decryptor: <123456789>
                      Source: 7laJ4zKd8O.exeString decryptor: <Xwormmm>
                      Source: 7laJ4zKd8O.exeString decryptor: FakeSolara?
                      Source: 7laJ4zKd8O.exeString decryptor: USB.exe
                      Source: 7laJ4zKd8O.exeString decryptor: %AppData%
                      Source: 7laJ4zKd8O.exeString decryptor: System User.exe
                      Source: 7laJ4zKd8O.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 7laJ4zKd8O.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.18:35710 -> 192.168.2.4:49765
                      Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 147.185.221.18:35710 -> 192.168.2.4:49765
                      Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49765 -> 147.185.221.18:35710
                      Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49765 -> 147.185.221.18:35710
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: hope-asia.gl.at.ply.gg
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 147.185.221.18 ports 0,1,3,35710,5,7
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 7laJ4zKd8O.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.7laJ4zKd8O.exe.f00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.4:49765 -> 147.185.221.18:35710
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 147.185.221.18 147.185.221.18
                      Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: hope-asia.gl.at.ply.gg
                      Source: powershell.exe, 00000004.00000002.1994363656.00000182D555D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                      Source: powershell.exe, 00000004.00000002.1994363656.00000182D555D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                      Source: powershell.exe, 00000009.00000002.2128388765.000002BDB9194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
                      Source: 7laJ4zKd8O.exe, System User.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000001.00000002.1883340217.0000026E91481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1977415363.00000182CCD91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2108653884.000002BDB0B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2296796513.000001E39DE8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000000B.00000002.2164162338.000001E38E049000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000001.00000002.1868728706.0000026E81639000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1922679316.00000182BCF48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2030956829.000002BDA0D0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2164162338.000001E38E049000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: 7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1868728706.0000026E81411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1922679316.00000182BCD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2030956829.000002BDA0AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2164162338.000001E38DE21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000001.00000002.1868728706.0000026E81639000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1922679316.00000182BCF48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2030956829.000002BDA0D0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2164162338.000001E38E049000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000B.00000002.2164162338.000001E38E049000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000001.00000002.1868728706.0000026E81411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1922679316.00000182BCD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2030956829.000002BDA0AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2164162338.000001E38DE21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 0000000B.00000002.2296796513.000001E39DE8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000B.00000002.2296796513.000001E39DE8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000B.00000002.2296796513.000001E39DE8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000000B.00000002.2164162338.000001E38E049000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000001.00000002.1883340217.0000026E91481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1977415363.00000182CCD91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2108653884.000002BDB0B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2296796513.000001E39DE8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 7laJ4zKd8O.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.7laJ4zKd8O.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000000.1750635709.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeCode function: 0_2_00007FFD9B70E3740_2_00007FFD9B70E374
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeCode function: 0_2_00007FFD9B706E720_2_00007FFD9B706E72
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeCode function: 0_2_00007FFD9B7017190_2_00007FFD9B701719
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeCode function: 0_2_00007FFD9B7060C60_2_00007FFD9B7060C6
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeCode function: 0_2_00007FFD9B7010A50_2_00007FFD9B7010A5
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeCode function: 0_2_00007FFD9B7020F10_2_00007FFD9B7020F1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7F30E94_2_00007FFD9B7F30E9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B7B30E99_2_00007FFD9B7B30E9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B7C30E911_2_00007FFD9B7C30E9
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 15_2_00007FFD9B71171915_2_00007FFD9B711719
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 15_2_00007FFD9B7120F115_2_00007FFD9B7120F1
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 15_2_00007FFD9B71103815_2_00007FFD9B711038
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 16_2_00007FFD9B71171916_2_00007FFD9B711719
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 16_2_00007FFD9B7120F116_2_00007FFD9B7120F1
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 16_2_00007FFD9B71103816_2_00007FFD9B711038
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 18_2_00007FFD9B6F171918_2_00007FFD9B6F1719
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 18_2_00007FFD9B6F103818_2_00007FFD9B6F1038
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 18_2_00007FFD9B6F20F118_2_00007FFD9B6F20F1
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 19_2_00007FFD9B70171919_2_00007FFD9B701719
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 19_2_00007FFD9B70103819_2_00007FFD9B701038
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 19_2_00007FFD9B7020F119_2_00007FFD9B7020F1
                      Source: 7laJ4zKd8O.exe, 00000000.00000000.1750677375.0000000000F16000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSolaraBoostrapper.exel% vs 7laJ4zKd8O.exe
                      Source: 7laJ4zKd8O.exeBinary or memory string: OriginalFilenameSolaraBoostrapper.exel% vs 7laJ4zKd8O.exe
                      Source: 7laJ4zKd8O.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 7laJ4zKd8O.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.7laJ4zKd8O.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000000.1750635709.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 7laJ4zKd8O.exe, 4p2MOjMmg0Mw3eToQaNKl4iotxvvp0Ha5Yn2PI7qTHssZDAsJA7LQLNuPGsnIg8.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 7laJ4zKd8O.exe, 4p2MOjMmg0Mw3eToQaNKl4iotxvvp0Ha5Yn2PI7qTHssZDAsJA7LQLNuPGsnIg8.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 7laJ4zKd8O.exe, uKqaBGoSZcA6KDZRLyJMwl4B1NjzhP8PLu3ssdXOkCEruoskITa54wh7AUGeYL5.csCryptographic APIs: 'TransformFinalBlock'
                      Source: System User.exe.0.dr, 4p2MOjMmg0Mw3eToQaNKl4iotxvvp0Ha5Yn2PI7qTHssZDAsJA7LQLNuPGsnIg8.csCryptographic APIs: 'TransformFinalBlock'
                      Source: System User.exe.0.dr, 4p2MOjMmg0Mw3eToQaNKl4iotxvvp0Ha5Yn2PI7qTHssZDAsJA7LQLNuPGsnIg8.csCryptographic APIs: 'TransformFinalBlock'
                      Source: System User.exe.0.dr, uKqaBGoSZcA6KDZRLyJMwl4B1NjzhP8PLu3ssdXOkCEruoskITa54wh7AUGeYL5.csCryptographic APIs: 'TransformFinalBlock'
                      Source: System User.exe.0.dr, skEKY7g1SLbLcMv94Pv2L68O2M8A6Cc.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: System User.exe.0.dr, skEKY7g1SLbLcMv94Pv2L68O2M8A6Cc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 7laJ4zKd8O.exe, skEKY7g1SLbLcMv94Pv2L68O2M8A6Cc.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 7laJ4zKd8O.exe, skEKY7g1SLbLcMv94Pv2L68O2M8A6Cc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@20/21@2/2
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeFile created: C:\Users\user\AppData\Roaming\System User.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System User.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5184:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1696:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeMutant created: \Sessions\1\BaseNamedObjects\ZgZPozCA0jkwHKg1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_03
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                      Source: 7laJ4zKd8O.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 7laJ4zKd8O.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 7laJ4zKd8O.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeFile read: C:\Users\user\Desktop\7laJ4zKd8O.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\7laJ4zKd8O.exe "C:\Users\user\Desktop\7laJ4zKd8O.exe"
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7laJ4zKd8O.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7laJ4zKd8O.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: System User.lnk.0.drLNK file: ..\..\..\..\..\System User.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: 7laJ4zKd8O.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 7laJ4zKd8O.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 7laJ4zKd8O.exe, zWjH9RA7SnfJy8jmAkU64yUobTw261F.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{x5Fq8uSCYyk7HVQByzNH4qy9Qv1QEHZ.LeB63JrBNlEUbBQM5BoEI2RfrwmyDEm,x5Fq8uSCYyk7HVQByzNH4qy9Qv1QEHZ.MTOEG4CDn8ywb9iblQYHvtMolYouRLu,x5Fq8uSCYyk7HVQByzNH4qy9Qv1QEHZ.TzYs609dVofSB2hGqEc84Yk3d2JTvlN,x5Fq8uSCYyk7HVQByzNH4qy9Qv1QEHZ.LRE40oyNM9llCmTatXaM1O2uiKfLsHq,_4p2MOjMmg0Mw3eToQaNKl4iotxvvp0Ha5Yn2PI7qTHssZDAsJA7LQLNuPGsnIg8.c7SsdpqxhYLY7o0km6PyTMxdLgTnASyfnxNOrMDGK1EjEc4KfHfnTUvjv9rIGcB()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 7laJ4zKd8O.exe, zWjH9RA7SnfJy8jmAkU64yUobTw261F.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{SCj6YMkgoBgIozewuEkrIm1NfKYkXaA[2],_4p2MOjMmg0Mw3eToQaNKl4iotxvvp0Ha5Yn2PI7qTHssZDAsJA7LQLNuPGsnIg8.kf0Wgsb9MJoIxiuIeO3w8l1EwPtM7wUkmuKSMpeZi0LrfIZxjTMjjBl1oTfRcZo(Convert.FromBase64String(SCj6YMkgoBgIozewuEkrIm1NfKYkXaA[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: System User.exe.0.dr, zWjH9RA7SnfJy8jmAkU64yUobTw261F.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{x5Fq8uSCYyk7HVQByzNH4qy9Qv1QEHZ.LeB63JrBNlEUbBQM5BoEI2RfrwmyDEm,x5Fq8uSCYyk7HVQByzNH4qy9Qv1QEHZ.MTOEG4CDn8ywb9iblQYHvtMolYouRLu,x5Fq8uSCYyk7HVQByzNH4qy9Qv1QEHZ.TzYs609dVofSB2hGqEc84Yk3d2JTvlN,x5Fq8uSCYyk7HVQByzNH4qy9Qv1QEHZ.LRE40oyNM9llCmTatXaM1O2uiKfLsHq,_4p2MOjMmg0Mw3eToQaNKl4iotxvvp0Ha5Yn2PI7qTHssZDAsJA7LQLNuPGsnIg8.c7SsdpqxhYLY7o0km6PyTMxdLgTnASyfnxNOrMDGK1EjEc4KfHfnTUvjv9rIGcB()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: System User.exe.0.dr, zWjH9RA7SnfJy8jmAkU64yUobTw261F.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{SCj6YMkgoBgIozewuEkrIm1NfKYkXaA[2],_4p2MOjMmg0Mw3eToQaNKl4iotxvvp0Ha5Yn2PI7qTHssZDAsJA7LQLNuPGsnIg8.kf0Wgsb9MJoIxiuIeO3w8l1EwPtM7wUkmuKSMpeZi0LrfIZxjTMjjBl1oTfRcZo(Convert.FromBase64String(SCj6YMkgoBgIozewuEkrIm1NfKYkXaA[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: 7laJ4zKd8O.exe, zWjH9RA7SnfJy8jmAkU64yUobTw261F.cs.Net Code: Gn1JkJgOxIaSr4FK0dK8RGlYLWHlKSU System.AppDomain.Load(byte[])
                      Source: 7laJ4zKd8O.exe, zWjH9RA7SnfJy8jmAkU64yUobTw261F.cs.Net Code: uhGaDdrYN74lAGxvddnZJYPGs4cRlgk System.AppDomain.Load(byte[])
                      Source: 7laJ4zKd8O.exe, zWjH9RA7SnfJy8jmAkU64yUobTw261F.cs.Net Code: uhGaDdrYN74lAGxvddnZJYPGs4cRlgk
                      Source: System User.exe.0.dr, zWjH9RA7SnfJy8jmAkU64yUobTw261F.cs.Net Code: Gn1JkJgOxIaSr4FK0dK8RGlYLWHlKSU System.AppDomain.Load(byte[])
                      Source: System User.exe.0.dr, zWjH9RA7SnfJy8jmAkU64yUobTw261F.cs.Net Code: uhGaDdrYN74lAGxvddnZJYPGs4cRlgk System.AppDomain.Load(byte[])
                      Source: System User.exe.0.dr, zWjH9RA7SnfJy8jmAkU64yUobTw261F.cs.Net Code: uhGaDdrYN74lAGxvddnZJYPGs4cRlgk
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeCode function: 0_2_00007FFD9B7000AD pushad ; iretd 0_2_00007FFD9B7000C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B5DD2A5 pushad ; iretd 1_2_00007FFD9B5DD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B6F00AD pushad ; iretd 1_2_00007FFD9B6F00C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7C2316 push 8B485F94h; iretd 1_2_00007FFD9B7C231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60D250 pushfd ; retf 4_2_00007FFD9B60D251
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60D5D0 pushfd ; retf 4_2_00007FFD9B60D5D1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60D950 pushfd ; retf 4_2_00007FFD9B60D951
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60DDD0 pushfd ; retf 4_2_00007FFD9B60DDD1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60E150 pushfd ; retf 4_2_00007FFD9B60E151
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60E4D0 pushfd ; retf 4_2_00007FFD9B60E4D1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60E6C0 pushfd ; retf 4_2_00007FFD9B60E6C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60EA40 pushfd ; retf 4_2_00007FFD9B60EA41
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60EEC0 pushfd ; retf 4_2_00007FFD9B60EEC1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60F240 pushfd ; retf 4_2_00007FFD9B60F241
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60F540 pushfd ; retf 4_2_00007FFD9B60F541
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60FB40 pushfd ; retf 4_2_00007FFD9B60FB41
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60D330 pushfd ; retf 4_2_00007FFD9B60D331
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60D6B0 pushfd ; retf 4_2_00007FFD9B60D6B1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60DA30 pushfd ; retf 4_2_00007FFD9B60DA31
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60DEB0 pushfd ; retf 4_2_00007FFD9B60DEB1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60E230 pushfd ; retf 4_2_00007FFD9B60E231
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60E7A0 pushfd ; retf 4_2_00007FFD9B60E7A1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60EB20 pushfd ; retf 4_2_00007FFD9B60EB21
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60EFA0 pushfd ; retf 4_2_00007FFD9B60EFA1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60F320 pushfd ; retf 4_2_00007FFD9B60F321
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60F620 pushfd ; retf 4_2_00007FFD9B60F621
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60FC20 pushfd ; retf 4_2_00007FFD9B60FC21
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60FD20 pushfd ; retf 4_2_00007FFD9B60FD21
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60D2A5 pushad ; iretd 4_2_00007FFD9B60D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60D410 pushfd ; retf 4_2_00007FFD9B60D411
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B60D090 pushfd ; retf 4_2_00007FFD9B60D091
                      Source: 7laJ4zKd8O.exe, wv1Aini1D0MNQZnSZLTtKeJ7oYOZ7ljomptfoHmRxByJMTNrUBhIUIx2GjWI5kP.csHigh entropy of concatenated method names: 'UtWzlxJ6mGjaRI8sRD86EeaJFauW4MMSSxUgqf68w2BJChdSz', 'aP5c5Z6EiKolYq5fsUHmxOWHVNa8U3w7lBcW5t9IdQcTNujds', 'J4AVIzKBfEAZ1P41CIWfOLcA6nqfb42NEeRpGd7d7AlmvjqPq', '_8KEGyRrlfgW94LIke5t3L5s', 'mWcUYaYKUk4Od2D2V0SiQpj', 'NgJ0bEfawIKEgZjdCd64Or9', '_6UNrdFtr6ySXfC5mHQWo3E1', 'XTCz8MAT4ybFFj0IKOvpULV', 'bqHvEVu9YpbjWw4Mg9j6i6N', 'cN3PTm7ARNvh4711zL8IKBF'
                      Source: 7laJ4zKd8O.exe, x5Fq8uSCYyk7HVQByzNH4qy9Qv1QEHZ.csHigh entropy of concatenated method names: 'FPQCAFKoFoD83nQjkJqFr4NChdjRUrgPBgkZY52qOc0DMdtDT', 'vm5RAxcLUnwHgrF4StKPslhB0HuQFn9Aq1gOHAS65DXOgdkRD', 'VkWzQlhXFARtmBi6ljXOxG9Cb0fCYWE0eH9oSXTCQWX6URJwE', 'aVqUE4mFJAjcaVs0bpthSOP66l8K7z2XzvTnnXlDNXV9qfIXr'
                      Source: 7laJ4zKd8O.exe, CEkX4bCuLAmJhVPyDPpH8ouZzyqGHhY.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'W0pCsFQj2kC7JQMDGym4G8oVc5GcZbfOvviLfvSOC7L8CrKFB', 'A5rEZ3ccqD8HdKvOQ2GOMG0Imj8kNGbyNBsmoscWhoX4YSqXM', 'JNyJG3bPFqFZ0UCqLOTIewwVt5aWnVQBlv9KypsNiTgtjIC1K', '_4vpYhwKsZvyy1XNiDHJW1T0FkN2SKzqqHUoWJyxHbuAOidRyY'
                      Source: 7laJ4zKd8O.exe, Skt4vYJaDQ91WTd8QSnbr2m2SfXlX4d.csHigh entropy of concatenated method names: 'jd6LyIbSXwmI3goef9HzxFpoAdRsAcH', 'QCrklzUC0WsJdsizLk37E3huplzffB9', '_05QvXxbPesWeODV6HtVx2SVbb2tv2iC', 'UoKekLh8HEDnu5lC7xl7FGURoTOYd39', 'fSDVzJ8OFyZKeGCkF522NwJ8BM3bNYi', 'wWcOB0TE4P9kqj9pEC6NerWbCBN6IRr', 'fY4Ii7fIlxr75PVN2cKw12AdzZGrss9', 'oe6J3AE5Vt4xsOUx21HzZ2O2ZcvItPt', '_8iVVMzwtU6n5pueydLyJcamB77mthUa', '_3vMTFbfRJ1CPsxiZ2W60SRZm7ebW1Tw'
                      Source: 7laJ4zKd8O.exe, uI0CzLTkSnsGaIhd8cMV4PscwTdIKWk.csHigh entropy of concatenated method names: 'aVzU0SLPiIntZcag2U3kAnIeGBT0Tj4', 'nh2PSO5EcZrPeMu1aBBuDHlkqUb08AwtlSElzusGY4hE9TrzfaAMdxdQ4UBt09in8G1gbu73zNyTtFy9E', 'gzVF5JsqHJh7c1wH4RlXwynFPI1KLxZ4S5CBCl8B0512WHCK0dhwbKuCig0oUhEH9o1CoyRBmK8Z1nOZL', '_8MWhnu8L6KdsMjqIxy8gKdd2ACRZRzv22XIKvxaxU9LO38U8BArbyDlrcXexxQjfJvgk481gAJ46uJvFu', 'MXo18jA1s9P1fT1YWSXxlK2iM0EsPnXj8YZpWgBp54DDwIfw7KSwlTSww5iWg5GmbyJBHVRLq7tRXvjiE'
                      Source: 7laJ4zKd8O.exe, 4p2MOjMmg0Mw3eToQaNKl4iotxvvp0Ha5Yn2PI7qTHssZDAsJA7LQLNuPGsnIg8.csHigh entropy of concatenated method names: 'k7A486Kc4J6Jsajas0XXwjRfDzN67ndPWEO2pLlsS6r453TFwZcK5UXC0gRls5m', '_8sV5urPCuLoEA5Vr2XVUxltNv8PnatMG8cqaKUw59toF7IJb4D7Gj64FmON1kOE', 'lsg58ZbsqtE5uV5XaBwFmbh8wCEmltUG1PxuBkMWMOH4P9xDU5FgVOaHfktKcMR', 'zu1THx7o8dvjazCPvqiJ2RH8LlzOXKPUWdIWnddKK1xWeV46okmCzaO01HO1ckJ', 'uR8ixz4YIal81V4ZFZwataMsSbK9pI2kmgaK82FbadocPdMVnTrWodxa1qF2QVk', 'XAP3jueqwcFfeQxbbC4xdxIz9yMkdZZQzxI4YIS41a9ewCXY1B0P6ZAwa0tyWxB', 'VXiUP9LhAPfXAL9usIRMKToG0EthuGhgolpfGzimOXORPK1DvT2qNPXYYwo9gug', '_8bCNW1oxV8PqP3ovqQeFgyKlbIDpTgze2cX7Zud5X5ZELd5Kj0boMyRkAdyD2MO', 'zIQvRQw2JdriE9paHGkrIoVK0juIe39MZH2ojkdLrVkq5KXHiHw9xNef5bytNBe', 'UwIvbsoIsGBP8Q94ysf07hyK2dcWGXnJY0YuJfDrqdEHguQ3n6C3J5IiykuRfk5'
                      Source: 7laJ4zKd8O.exe, skEKY7g1SLbLcMv94Pv2L68O2M8A6Cc.csHigh entropy of concatenated method names: 'KNqHpEvLR6YBGfUfikcB57QwryjExs1', 'NAh6cQSC2Fx7PCLvmhKCafCoYlQWAxH', 'CrEaUgrX8ObzyKjhvlayfgxRc0pLf6r', 'y2LbkPR0UCSp0mnAze6ouPmGAOWNN4W', 'u1PuaDFb3MitWKz046xKDBYMfP65IBB', 'pTs96D3KnyejpO8A2dNLqtRRkIuaeve', 'YwSQz3TQDhW8JBFhZDDnginKDL6JZ7S', 'TMlS7uC4lDvMAOVirWkx5nrOcGERbGx', 'pDHqtZC9UFyt8TJsNXsn9TnBoAVWRqx', '_6EKol0QnIMmLAKFaxxTqwLr5NTMgg6O'
                      Source: 7laJ4zKd8O.exe, uKqaBGoSZcA6KDZRLyJMwl4B1NjzhP8PLu3ssdXOkCEruoskITa54wh7AUGeYL5.csHigh entropy of concatenated method names: 'GQVjb46a27YoXPU5XvbXDuSH1qtfrmiCdnVNBGJtf3tGznxsfAYPzhEaIRkJTev', 'DaJlHekWwy4UV9iaw9yi6PN', 'XjRP3LXqhwV0DtUT6F9lDFB', 'GQJwQwArorsCT3TkMxaKGkU', 'L1VAAig7udUlPHTVSW7bkSF'
                      Source: 7laJ4zKd8O.exe, GE5ueaieEyepBbnldFzwRUIrAX0F5oA.csHigh entropy of concatenated method names: 'O3xeg4HQeLAYlhqwZnlxtAUhBUdd5Yi', 'niQoA7pvv51nwMkaQAaBXzflhEdFjRX', 'd5aXeSCpcuFTSSPVM8e9oa7APQOaaX7', '_9bFyNpb72wPgHNZEEzhok8tfB6DFfwVnU8FTLunZwG9WaGU2jG6FfYhMv1wK61S', '_49HwY3vOYPDYJGfcKUDOEhjB4R1yfquM1E7j2MmZlZ1pBpwmktmfU4W4Eji8Lm7', 'EOYglfLwt3gCoylKTIdMK9spVsCeIsDoNDUGQlC20jBRcvT2BdSbT1wDUn4aa2n', 'WhIYqlNipWBWjldrdTogmnieWjuWFsvizyalb8D1L4QWjZZPHJx0F5qjp5QjApS', 'VyBOqDqOevzUgxTvRHOk8v5HgLKaVk5JL2GCxbUbkn4caF7hVEXkqkMt79yTW1K', 'BJnmoS5nT6eKK7gIv8CJJgcELPkxlk8ktKNpvrhRKs87duqXA8go8DLCrFtDsRa', 'TOxasXni9ayWLKkk549OHiQqN16fGeJhH74CczJsNfD6QhBQapZd1SSe22dpsCO'
                      Source: 7laJ4zKd8O.exe, zWjH9RA7SnfJy8jmAkU64yUobTw261F.csHigh entropy of concatenated method names: 'Z4nP6sptETXwkLnMdUFJOXPnEeu1531', 'Gn1JkJgOxIaSr4FK0dK8RGlYLWHlKSU', 'nztpreC1vJTcbuYZs8A7YBT3h9LBf9M', 'wOVgdiNdVeyXX9rexHHzR7UaIq9dB9A', 'DVvUdnpEVpp5jws6i1b1jXBkbBj8hB5', 'EQ5DztqdCmMZ10k3AzCuWOUHUtpUQS7', '_88bAhPl5JRDa9rznvWzykDzT3YV5k3c', '_8pih7uvZKpxayflQqASBjpM77yl1sej', 'gzumk0cHPhsr53Lkgu23HamOlcFfSM0', 'Urnanc8ah82sYFM2lpl6ECb5ZgxQfYX'
                      Source: 7laJ4zKd8O.exe, bnoPd8rk4nlx4wsg5Qww0uDiX9FLWXylGXaJ0OYZceejbPLhjJroOKFxmgmiRi7.csHigh entropy of concatenated method names: 'M9OGE50c72enavdvDKjnPl0qYjQmLHkz5Wl85cGhh92Qu2xPOEwW4OKmk7p2IiS', 'bOlG2BBfHpH73D3GzlXqPK8r72jH4jLNbUFviZUhg2y2FlZRTpRDhsGCP7FPdps', 'ZIGeStIiFIHrwf1aoaaSoMmv9AHQycJOfFPrjBJLD1Fh4oNivSeS6V2IEAkHofT', 'bv4wYCT1gZes8kRH0CKRmYB4oGYKCba2LRmq0VBLtgSggXTXrXKvk1f44Jj6anQ', 'UTo8HTiRH6adNZXzucqlsWq', '_3dazCJu8fB5qvbCgWWRzsEM', 'aLdJUoztG4k7NO0xuuBHTDG', 'Gss9SN71tXqhaGLt5Pcn8Px', 'J5YQ47D5vmltbqxqiHOYtTY', '_6VNueL32Egg63JYaXeUdukz'
                      Source: System User.exe.0.dr, wv1Aini1D0MNQZnSZLTtKeJ7oYOZ7ljomptfoHmRxByJMTNrUBhIUIx2GjWI5kP.csHigh entropy of concatenated method names: 'UtWzlxJ6mGjaRI8sRD86EeaJFauW4MMSSxUgqf68w2BJChdSz', 'aP5c5Z6EiKolYq5fsUHmxOWHVNa8U3w7lBcW5t9IdQcTNujds', 'J4AVIzKBfEAZ1P41CIWfOLcA6nqfb42NEeRpGd7d7AlmvjqPq', '_8KEGyRrlfgW94LIke5t3L5s', 'mWcUYaYKUk4Od2D2V0SiQpj', 'NgJ0bEfawIKEgZjdCd64Or9', '_6UNrdFtr6ySXfC5mHQWo3E1', 'XTCz8MAT4ybFFj0IKOvpULV', 'bqHvEVu9YpbjWw4Mg9j6i6N', 'cN3PTm7ARNvh4711zL8IKBF'
                      Source: System User.exe.0.dr, x5Fq8uSCYyk7HVQByzNH4qy9Qv1QEHZ.csHigh entropy of concatenated method names: 'FPQCAFKoFoD83nQjkJqFr4NChdjRUrgPBgkZY52qOc0DMdtDT', 'vm5RAxcLUnwHgrF4StKPslhB0HuQFn9Aq1gOHAS65DXOgdkRD', 'VkWzQlhXFARtmBi6ljXOxG9Cb0fCYWE0eH9oSXTCQWX6URJwE', 'aVqUE4mFJAjcaVs0bpthSOP66l8K7z2XzvTnnXlDNXV9qfIXr'
                      Source: System User.exe.0.dr, CEkX4bCuLAmJhVPyDPpH8ouZzyqGHhY.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'W0pCsFQj2kC7JQMDGym4G8oVc5GcZbfOvviLfvSOC7L8CrKFB', 'A5rEZ3ccqD8HdKvOQ2GOMG0Imj8kNGbyNBsmoscWhoX4YSqXM', 'JNyJG3bPFqFZ0UCqLOTIewwVt5aWnVQBlv9KypsNiTgtjIC1K', '_4vpYhwKsZvyy1XNiDHJW1T0FkN2SKzqqHUoWJyxHbuAOidRyY'
                      Source: System User.exe.0.dr, Skt4vYJaDQ91WTd8QSnbr2m2SfXlX4d.csHigh entropy of concatenated method names: 'jd6LyIbSXwmI3goef9HzxFpoAdRsAcH', 'QCrklzUC0WsJdsizLk37E3huplzffB9', '_05QvXxbPesWeODV6HtVx2SVbb2tv2iC', 'UoKekLh8HEDnu5lC7xl7FGURoTOYd39', 'fSDVzJ8OFyZKeGCkF522NwJ8BM3bNYi', 'wWcOB0TE4P9kqj9pEC6NerWbCBN6IRr', 'fY4Ii7fIlxr75PVN2cKw12AdzZGrss9', 'oe6J3AE5Vt4xsOUx21HzZ2O2ZcvItPt', '_8iVVMzwtU6n5pueydLyJcamB77mthUa', '_3vMTFbfRJ1CPsxiZ2W60SRZm7ebW1Tw'
                      Source: System User.exe.0.dr, uI0CzLTkSnsGaIhd8cMV4PscwTdIKWk.csHigh entropy of concatenated method names: 'aVzU0SLPiIntZcag2U3kAnIeGBT0Tj4', 'nh2PSO5EcZrPeMu1aBBuDHlkqUb08AwtlSElzusGY4hE9TrzfaAMdxdQ4UBt09in8G1gbu73zNyTtFy9E', 'gzVF5JsqHJh7c1wH4RlXwynFPI1KLxZ4S5CBCl8B0512WHCK0dhwbKuCig0oUhEH9o1CoyRBmK8Z1nOZL', '_8MWhnu8L6KdsMjqIxy8gKdd2ACRZRzv22XIKvxaxU9LO38U8BArbyDlrcXexxQjfJvgk481gAJ46uJvFu', 'MXo18jA1s9P1fT1YWSXxlK2iM0EsPnXj8YZpWgBp54DDwIfw7KSwlTSww5iWg5GmbyJBHVRLq7tRXvjiE'
                      Source: System User.exe.0.dr, 4p2MOjMmg0Mw3eToQaNKl4iotxvvp0Ha5Yn2PI7qTHssZDAsJA7LQLNuPGsnIg8.csHigh entropy of concatenated method names: 'k7A486Kc4J6Jsajas0XXwjRfDzN67ndPWEO2pLlsS6r453TFwZcK5UXC0gRls5m', '_8sV5urPCuLoEA5Vr2XVUxltNv8PnatMG8cqaKUw59toF7IJb4D7Gj64FmON1kOE', 'lsg58ZbsqtE5uV5XaBwFmbh8wCEmltUG1PxuBkMWMOH4P9xDU5FgVOaHfktKcMR', 'zu1THx7o8dvjazCPvqiJ2RH8LlzOXKPUWdIWnddKK1xWeV46okmCzaO01HO1ckJ', 'uR8ixz4YIal81V4ZFZwataMsSbK9pI2kmgaK82FbadocPdMVnTrWodxa1qF2QVk', 'XAP3jueqwcFfeQxbbC4xdxIz9yMkdZZQzxI4YIS41a9ewCXY1B0P6ZAwa0tyWxB', 'VXiUP9LhAPfXAL9usIRMKToG0EthuGhgolpfGzimOXORPK1DvT2qNPXYYwo9gug', '_8bCNW1oxV8PqP3ovqQeFgyKlbIDpTgze2cX7Zud5X5ZELd5Kj0boMyRkAdyD2MO', 'zIQvRQw2JdriE9paHGkrIoVK0juIe39MZH2ojkdLrVkq5KXHiHw9xNef5bytNBe', 'UwIvbsoIsGBP8Q94ysf07hyK2dcWGXnJY0YuJfDrqdEHguQ3n6C3J5IiykuRfk5'
                      Source: System User.exe.0.dr, skEKY7g1SLbLcMv94Pv2L68O2M8A6Cc.csHigh entropy of concatenated method names: 'KNqHpEvLR6YBGfUfikcB57QwryjExs1', 'NAh6cQSC2Fx7PCLvmhKCafCoYlQWAxH', 'CrEaUgrX8ObzyKjhvlayfgxRc0pLf6r', 'y2LbkPR0UCSp0mnAze6ouPmGAOWNN4W', 'u1PuaDFb3MitWKz046xKDBYMfP65IBB', 'pTs96D3KnyejpO8A2dNLqtRRkIuaeve', 'YwSQz3TQDhW8JBFhZDDnginKDL6JZ7S', 'TMlS7uC4lDvMAOVirWkx5nrOcGERbGx', 'pDHqtZC9UFyt8TJsNXsn9TnBoAVWRqx', '_6EKol0QnIMmLAKFaxxTqwLr5NTMgg6O'
                      Source: System User.exe.0.dr, uKqaBGoSZcA6KDZRLyJMwl4B1NjzhP8PLu3ssdXOkCEruoskITa54wh7AUGeYL5.csHigh entropy of concatenated method names: 'GQVjb46a27YoXPU5XvbXDuSH1qtfrmiCdnVNBGJtf3tGznxsfAYPzhEaIRkJTev', 'DaJlHekWwy4UV9iaw9yi6PN', 'XjRP3LXqhwV0DtUT6F9lDFB', 'GQJwQwArorsCT3TkMxaKGkU', 'L1VAAig7udUlPHTVSW7bkSF'
                      Source: System User.exe.0.dr, GE5ueaieEyepBbnldFzwRUIrAX0F5oA.csHigh entropy of concatenated method names: 'O3xeg4HQeLAYlhqwZnlxtAUhBUdd5Yi', 'niQoA7pvv51nwMkaQAaBXzflhEdFjRX', 'd5aXeSCpcuFTSSPVM8e9oa7APQOaaX7', '_9bFyNpb72wPgHNZEEzhok8tfB6DFfwVnU8FTLunZwG9WaGU2jG6FfYhMv1wK61S', '_49HwY3vOYPDYJGfcKUDOEhjB4R1yfquM1E7j2MmZlZ1pBpwmktmfU4W4Eji8Lm7', 'EOYglfLwt3gCoylKTIdMK9spVsCeIsDoNDUGQlC20jBRcvT2BdSbT1wDUn4aa2n', 'WhIYqlNipWBWjldrdTogmnieWjuWFsvizyalb8D1L4QWjZZPHJx0F5qjp5QjApS', 'VyBOqDqOevzUgxTvRHOk8v5HgLKaVk5JL2GCxbUbkn4caF7hVEXkqkMt79yTW1K', 'BJnmoS5nT6eKK7gIv8CJJgcELPkxlk8ktKNpvrhRKs87duqXA8go8DLCrFtDsRa', 'TOxasXni9ayWLKkk549OHiQqN16fGeJhH74CczJsNfD6QhBQapZd1SSe22dpsCO'
                      Source: System User.exe.0.dr, zWjH9RA7SnfJy8jmAkU64yUobTw261F.csHigh entropy of concatenated method names: 'Z4nP6sptETXwkLnMdUFJOXPnEeu1531', 'Gn1JkJgOxIaSr4FK0dK8RGlYLWHlKSU', 'nztpreC1vJTcbuYZs8A7YBT3h9LBf9M', 'wOVgdiNdVeyXX9rexHHzR7UaIq9dB9A', 'DVvUdnpEVpp5jws6i1b1jXBkbBj8hB5', 'EQ5DztqdCmMZ10k3AzCuWOUHUtpUQS7', '_88bAhPl5JRDa9rznvWzykDzT3YV5k3c', '_8pih7uvZKpxayflQqASBjpM77yl1sej', 'gzumk0cHPhsr53Lkgu23HamOlcFfSM0', 'Urnanc8ah82sYFM2lpl6ECb5ZgxQfYX'
                      Source: System User.exe.0.dr, bnoPd8rk4nlx4wsg5Qww0uDiX9FLWXylGXaJ0OYZceejbPLhjJroOKFxmgmiRi7.csHigh entropy of concatenated method names: 'M9OGE50c72enavdvDKjnPl0qYjQmLHkz5Wl85cGhh92Qu2xPOEwW4OKmk7p2IiS', 'bOlG2BBfHpH73D3GzlXqPK8r72jH4jLNbUFviZUhg2y2FlZRTpRDhsGCP7FPdps', 'ZIGeStIiFIHrwf1aoaaSoMmv9AHQycJOfFPrjBJLD1Fh4oNivSeS6V2IEAkHofT', 'bv4wYCT1gZes8kRH0CKRmYB4oGYKCba2LRmq0VBLtgSggXTXrXKvk1f44Jj6anQ', 'UTo8HTiRH6adNZXzucqlsWq', '_3dazCJu8fB5qvbCgWWRzsEM', 'aLdJUoztG4k7NO0xuuBHTDG', 'Gss9SN71tXqhaGLt5Pcn8Px', 'J5YQ47D5vmltbqxqiHOYtTY', '_6VNueL32Egg63JYaXeUdukz'
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeFile created: C:\Users\user\AppData\Roaming\System User.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnkJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnkJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System UserJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System UserJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: 7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003161000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: 7laJ4zKd8O.exe, System User.exe.0.drBinary or memory string: SBIEDLL.DLLCWYCNZVXY2II8K2GTE85DNHUUOUKO1EFPE8EN7AOJPCLSJ4YZECY3XYM3AKVI64ZCLOZLLZPKWAWVWX1L0PCWAOB4PTMMTTHT5RMC4LRZEY7AJUL3TIYPYNDZL9PZT0MQGOBBGHRQ5YXU1EEKUHZ0ZCQQ9PH09LE1VJWLMV8UUU5EGZXTQDPAGRJFO6KZZGC8CTPP6CYCDNNOHSCCXXGQVDVMU2GZTE5TVA6SCILZTULCYSAKBN8A3ZUXMC0EMMGSNWH24HYWDU666RHYVZ7Q1Z2OCQ3OS4G5MX1I60LAEX4CXNO7AJDXHPHLZXNUTYTHY2IWDAHZEPFJAINT0DCPTI9HWALFDC5XQZ1LKVNIYTRTENP42LFFV2C49ZRPH8DT1W1FAREINSAB8ECCBB8XAXGBJLN4DTLII6TQF0JAYPWBZ7WMY129PU9KOYTZ1DHCICTPENDDK0EEIF5BSMACKXJP5XEMOKHFWO4NURZL7XEZOYY1ATUCTFDBLXOYB3MXEYTOI2RZBIGJP4TFZMJL1WX0YDTRNWAKVMPBSCWWYXNSCTZLAHY6ZM3WO1QCJX6SZALS7OMMSIVU1PV5VF7NDSOCBEXSULP2NGJRHZGMLBCNGFLOD0NGMTOKQN57FFPFHDLAO1ZIWCSLA7GGTYAJUJVACUDJNIBL1HUUEJR7LQA9YPUZEFFY9LMZJNPINFO
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeMemory allocated: 1790000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeMemory allocated: 1B160000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 810000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1A510000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 2DE0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1ADE0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 21A0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1A330000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: B40000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1A4E0000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeWindow / User API: threadDelayed 433Jump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeWindow / User API: threadDelayed 9401Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5370Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4430Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7139Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2499Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8104Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1486Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6357
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3422
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exe TID: 3960Thread sleep time: -37815825351104557s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7028Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4900Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep count: 8104 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep count: 1486 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1712Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2120Thread sleep count: 6357 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5164Thread sleep count: 3422 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3156Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System User.exe TID: 1808Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System User.exe TID: 5496Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System User.exe TID: 3336Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System User.exe TID: 2004Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: System User.exe.0.drBinary or memory string: vmware
                      Source: 7laJ4zKd8O.exe, 00000000.00000002.3013220890.000000001BFE6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeCode function: 0_2_00007FFD9B707A81 CheckRemoteDebuggerPresent,0_2_00007FFD9B707A81
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe'
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe'
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7laJ4zKd8O.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"Jump to behavior
                      Source: 7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003229000.00000004.00000800.00020000.00000000.sdmp, 7laJ4zKd8O.exe, 00000000.00000002.3005446682.00000000031CC000.00000004.00000800.00020000.00000000.sdmp, 7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003204000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: 7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003229000.00000004.00000800.00020000.00000000.sdmp, 7laJ4zKd8O.exe, 00000000.00000002.3005446682.00000000031CC000.00000004.00000800.00020000.00000000.sdmp, 7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003204000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: 7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003229000.00000004.00000800.00020000.00000000.sdmp, 7laJ4zKd8O.exe, 00000000.00000002.3005446682.00000000031CC000.00000004.00000800.00020000.00000000.sdmp, 7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003204000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2`
                      Source: 7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003229000.00000004.00000800.00020000.00000000.sdmp, 7laJ4zKd8O.exe, 00000000.00000002.3005446682.00000000031CC000.00000004.00000800.00020000.00000000.sdmp, 7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003204000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: 7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003229000.00000004.00000800.00020000.00000000.sdmp, 7laJ4zKd8O.exe, 00000000.00000002.3005446682.00000000031CC000.00000004.00000800.00020000.00000000.sdmp, 7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003204000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeQueries volume information: C:\Users\user\Desktop\7laJ4zKd8O.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: 7laJ4zKd8O.exe, 00000000.00000002.3013220890.000000001C03A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\7laJ4zKd8O.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: 7laJ4zKd8O.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.7laJ4zKd8O.exe.f00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1750635709.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3005446682.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3005446682.000000000322D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3005446682.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 7laJ4zKd8O.exe PID: 6640, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: 7laJ4zKd8O.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.7laJ4zKd8O.exe.f00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1750635709.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3005446682.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3005446682.000000000322D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3005446682.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 7laJ4zKd8O.exe PID: 6640, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		1
                      Scheduled Task/Job                      		12
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping541
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		21
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		11
                      Disable or Modify Tools                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		1
                      DLL Side-Loading                      		21
                      Registry Run Keys / Startup Folder                      		151
                      Virtualization/Sandbox Evasion                      		Security Account Manager151
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      DLL Side-Loading                      		12
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      System Network Configuration Discovery                      		SSHKeylogging12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSync23
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575204 Sample: 7laJ4zKd8O.exe Startdate: 14/12/2024 Architecture: WINDOWS Score: 100 40 hope-asia.gl.at.ply.gg 2->40 42 ip-api.com 2->42 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 18 other signatures 2->54 8 7laJ4zKd8O.exe 15 6 2->8         started        13 System User.exe 2->13         started        15 System User.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 44 hope-asia.gl.at.ply.gg 147.185.221.18, 35710, 49765 SALSGIVERUS United States 8->44 46 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->46 38 C:\Users\user\AppData\...\System User.exe, PE32 8->38 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->58 60 Protects its processes via BreakOnTermination flag 8->60 62 Bypasses PowerShell execution policy 8->62 64 4 other signatures 8->64 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 file6 signatures7 process8 signatures9 56 Loading BitLocker PowerShell Module 19->56 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      7laJ4zKd8O.exe76%ReversingLabsWin32.Exploit.Xworm
                      7laJ4zKd8O.exe100%AviraTR/Spy.Gen
                      7laJ4zKd8O.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\System User.exe100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Roaming\System User.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\System User.exe76%ReversingLabsWin32.Exploit.Xworm

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      hope-asia.gl.at.ply.gg100%Avira URL Cloudmalware
                      http://crl.microso0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high
                        hope-asia.gl.at.ply.gg
                        		147.185.221.18
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          hope-asia.gl.at.ply.ggtrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1883340217.0000026E91481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1977415363.00000182CCD91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2108653884.000002BDB0B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2296796513.000001E39DE8F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2164162338.000001E38E049000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://crl.microsopowershell.exe, 00000009.00000002.2128388765.000002BDB9194000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1868728706.0000026E81639000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1922679316.00000182BCF48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2030956829.000002BDA0D0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2164162338.000001E38E049000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2164162338.000001E38E049000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1868728706.0000026E81639000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1922679316.00000182BCF48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2030956829.000002BDA0D0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2164162338.000001E38E049000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/powershell.exe, 0000000B.00000002.2296796513.000001E39DE8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1883340217.0000026E91481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1977415363.00000182CCD91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2108653884.000002BDB0B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2296796513.000001E39DE8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2296796513.000001E39DE8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.micpowershell.exe, 00000004.00000002.1994363656.00000182D555D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2296796513.000001E39DE8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.micft.cMicRosofpowershell.exe, 00000004.00000002.1994363656.00000182D555D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://aka.ms/pscore68powershell.exe, 00000001.00000002.1868728706.0000026E81411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1922679316.00000182BCD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2030956829.000002BDA0AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2164162338.000001E38DE21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name7laJ4zKd8O.exe, 00000000.00000002.3005446682.0000000003161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1868728706.0000026E81411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1922679316.00000182BCD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2030956829.000002BDA0AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2164162338.000001E38DE21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2164162338.000001E38E049000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        208.95.112.1
                                                        		ip-api.comUnited States
                                                        		53334TUT-ASUSfalse
                                                        147.185.221.18
                                                        		hope-asia.gl.at.ply.ggUnited States
                                                        		12087SALSGIVERUStrue

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1575204
                                                        Start date and time:2024-12-14 18:49:08 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 6m 33s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:20
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:7laJ4zKd8O.exe
                                                        renamed because original name is a hash value
                                                        Original Sample Name:1738a9a215f705403b1c4f67b8ad76bb636f28510ea619bff16836f1e85421ac.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winEXE@20/21@2/2
                                                        EGA Information:
                                                        • Successful, ratio: 11.1%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 116
                                                        • Number of non-executed functions: 5
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                        • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target System User.exe, PID 3180 because it is empty
                                                        • Execution Graph export aborted for target System User.exe, PID 4088 because it is empty
                                                        • Execution Graph export aborted for target System User.exe, PID 5336 because it is empty
                                                        • Execution Graph export aborted for target System User.exe, PID 5856 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 1244 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 2484 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 3428 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 908 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                        • VT rate limit hit for: 7laJ4zKd8O.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        12:50:16API Interceptor55x Sleep call for process: powershell.exe modified
                                                        12:51:10API Interceptor187x Sleep call for process: 7laJ4zKd8O.exe modified
                                                        17:51:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run System User C:\Users\user\AppData\Roaming\System User.exe
                                                        17:51:11Task SchedulerRun new task: System User path: C:\Users\user\AppData\Roaming\System s>User.exe
                                                        17:51:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run System User C:\Users\user\AppData\Roaming\System User.exe
                                                        17:51:27AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        208.95.112.13edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                        • ip-api.com/json/
                                                        gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                        • ip-api.com/json/
                                                        hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                        • ip-api.com/json/
                                                        da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        Chrome Browser Update.exeGet hashmaliciousPredatorBrowse
                                                        • ip-api.com/json/
                                                        boleto.exeGet hashmaliciousXWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        taskhost.exeGet hashmaliciousXWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        XClient.exeGet hashmaliciousXWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        jrockekcurje.exeGet hashmaliciousBlackshadesBrowse
                                                        • ip-api.com/json/
                                                        147.185.221.18Discord.exeGet hashmaliciousAsyncRATBrowse
                                                          r8k29DBraE.exeGet hashmaliciousXWormBrowse
                                                            Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                                              7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                                                1c8DbXc5r0.exeGet hashmaliciousXWormBrowse
                                                                  6Mt223MA25.exeGet hashmaliciousArrowRATBrowse
                                                                    b34J4bxnmN.exeGet hashmaliciousNjratBrowse
                                                                      01koiHnedL.exeGet hashmaliciousNjratBrowse
                                                                        i231IEP3oh.exeGet hashmaliciousAsyncRATBrowse
                                                                          killer.exeGet hashmaliciousXWormBrowse

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            ip-api.com3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                            • 208.95.112.1
                                                                            gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                            • 208.95.112.1
                                                                            hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                            • 208.95.112.1
                                                                            da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                                            • 208.95.112.1
                                                                            03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                            • 208.95.112.1
                                                                            Chrome Browser Update.exeGet hashmaliciousPredatorBrowse
                                                                            • 208.95.112.1
                                                                            boleto.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            taskhost.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            XClient.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            jrockekcurje.exeGet hashmaliciousBlackshadesBrowse
                                                                            • 208.95.112.1

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            SALSGIVERUSfile.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.24
                                                                            testingg.exeGet hashmaliciousNjratBrowse
                                                                            • 147.185.221.19
                                                                            Bloxflip Predictor.exeGet hashmaliciousNjratBrowse
                                                                            • 147.185.221.224
                                                                            system404.exeGet hashmaliciousMetasploitBrowse
                                                                            • 147.185.221.19
                                                                            Discord.exeGet hashmaliciousAsyncRATBrowse
                                                                            • 147.185.221.18
                                                                            CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                                                            • 147.185.221.22
                                                                            file.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.24
                                                                            NhoqAfkhHL.batGet hashmaliciousUnknownBrowse
                                                                            • 147.185.221.24
                                                                            sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                            • 147.160.103.28
                                                                            a4lIk1Jrla.exeGet hashmaliciousNjrat, RevengeRATBrowse
                                                                            • 147.185.221.24
                                                                            TUT-ASUS3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                            • 208.95.112.1
                                                                            gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                            • 208.95.112.1
                                                                            hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                            • 208.95.112.1
                                                                            da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                                            • 208.95.112.1
                                                                            03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                            • 208.95.112.1
                                                                            Chrome Browser Update.exeGet hashmaliciousPredatorBrowse
                                                                            • 208.95.112.1
                                                                            boleto.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            taskhost.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            XClient.exeGet hashmaliciousXWormBrowse
                                                                            • 208.95.112.1
                                                                            jrockekcurje.exeGet hashmaliciousBlackshadesBrowse
                                                                            • 208.95.112.1

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System User.exe.log

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\System User.exe
                                                                            File Type:CSV text
                                                                            Category:dropped
                                                                            Size (bytes):654
                                                                            Entropy (8bit):5.380476433908377
                                                                            Encrypted:false
                                                                            SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                            MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                            SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                            SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                            SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                            Malicious:false
                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:modified
                                                                            Size (bytes):64
                                                                            Entropy (8bit):0.34726597513537405
                                                                            Encrypted:false
                                                                            SSDEEP:3:Nlll:Nll
                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                            Malicious:false
                                                                            Preview:@...e...........................................................

                                                                            C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\7laJ4zKd8O.exe
                                                                            File Type:Generic INItialization configuration [WIN]
                                                                            Category:dropped
                                                                            Size (bytes):64
                                                                            Entropy (8bit):3.6722687970803873
                                                                            Encrypted:false
                                                                            SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                                            MD5:DE63D53293EBACE29F3F54832D739D40
                                                                            SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                                            SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                                            SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                                            Malicious:false
                                                                            Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2xp32wru.3cz.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ys0q1vt.3m4.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0bvcxmc.iqh.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apmafiqg.t2s.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awgqxcbb.moo.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b5kgwi2x.q1a.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iuus0fsb.lmn.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jlmrvnti.vwh.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvshhgv3.byt.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgirwubh.ioa.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpbauyia.m3p.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvedxyfq.mml.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_shz4maow.uag.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxn5idy3.tuk.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wya4hkoc.hty.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ypidd3qn.at4.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\7laJ4zKd8O.exe
                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 14 16:51:09 2024, mtime=Sat Dec 14 16:51:09 2024, atime=Sat Dec 14 16:51:09 2024, length=314368, window=hide
                                                                            Category:dropped
                                                                            Size (bytes):786
                                                                            Entropy (8bit):5.060270921456959
                                                                            Encrypted:false
                                                                            SSDEEP:12:8gKh64y2WCOdY//AKokLGSnlttyHNAjAVrHlyfHMTBmV:85yhN+4KoGGSHt8UAV80TBm
                                                                            MD5:C4B058E527A37F0178B27EB056F706DF
                                                                            SHA1:8B9D87680FB166F31AB534DE2C45F9C7F1ABB109
                                                                            SHA-256:CC1DBC3333AFAF2F3C0F3FD4F95BCE47DFF05785A51C3AE5010C509384240FFC
                                                                            SHA-512:58DE00D11F726185A81490C8405B165DA1CA4018293A9A05D06ADF6CA20C20C90D412E6897AFB76A4892A619BDC3BFD6080397247279E4C3E33D34D33419CB20
                                                                            Malicious:false
                                                                            Preview:L..................F.... ...@h..PN..@h..PN..@h..PN............................:..DG..Yr?.D..U..k0.&...&......vk.v....IB2.PN....Y.PN......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.YB............................%..A.p.p.D.a.t.a...B.V.1......Y@...Roaming.@......CW.^.Y@............................LB.R.o.a.m.i.n.g.....l.2......Ye. .SYSTEM~1.EXE..P......Ye..Ye.............................(.S.y.s.t.e.m. .U.s.e.r...e.x.e.......]...............-.......\...........=Q_......C:\Users\user\AppData\Roaming\System User.exe........\.....\.....\.....\.....\.S.y.s.t.e.m. .U.s.e.r...e.x.e.`.......X.......405464...........hT..CrF.f4... .....C....,.......hT..CrF.f4... .....C....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                            C:\Users\user\AppData\Roaming\System User.exe

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\7laJ4zKd8O.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):314368
                                                                            Entropy (8bit):6.658492881367909
                                                                            Encrypted:false
                                                                            SSDEEP:6144:Z7TbGLE2a3fTnrrBrkRqPaCY+zoUf/f92Oq7ElR:ZSElzrFPcq3xqkR
                                                                            MD5:43BB1FBFD735DF983C0DBB50EDA6FFEF
                                                                            SHA1:1173E059D3C502019CFA7C719A34C99ED3BC32F1
                                                                            SHA-256:1738A9A215F705403B1C4F67B8AD76BB636F28510EA619BFF16836F1E85421AC
                                                                            SHA-512:5672EEAE0EB767BD09CF800802C4E3225513D5D1C9616B10FB51091AA50B0CDD1D101AA7FDEE0292FAC5CF48F616E1BFF8D0B902EF57594763D3DC95F275EB1B
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: ditekSHen
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: ReversingLabs, Detection: 76%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....[g.................,..........NJ... ...`....@.. ....................... ............@..................................I..O....`.............................................................................. ............... ..H............text...T*... ...,.................. ..`.rsrc.......`......................@..@.reloc..............................@..B................0J......H........b..........&.....................................................(....*.r...p*. ....*..(....*.re..p*. .(T.*.s.........s.........s.........s.........*.r...p*. ...*.r-..p*.r...p*. ....*.r...p*. .Y*.*.rY..p*. .m7.*..((...*.r...p*. .x!.*.r...p*. ....*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. .O..*.r...p*. .A..*.rS..p*. ~.H.*.r...p*. ...*.r...p*.r...p*. .&..*.r...p*. 2Z..*.rG.

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):6.658492881367909
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            File name:7laJ4zKd8O.exe
                                                                            File size:314'368 bytes
                                                                            MD5:43bb1fbfd735df983c0dbb50eda6ffef
                                                                            SHA1:1173e059d3c502019cfa7c719a34c99ed3bc32f1
                                                                            SHA256:1738a9a215f705403b1c4f67b8ad76bb636f28510ea619bff16836f1e85421ac
                                                                            SHA512:5672eeae0eb767bd09cf800802c4e3225513d5d1c9616b10fb51091aa50b0cdd1d101aa7fdee0292fac5cf48f616e1bff8d0b902ef57594763d3dc95f275eb1b
                                                                            SSDEEP:6144:Z7TbGLE2a3fTnrrBrkRqPaCY+zoUf/f92Oq7ElR:ZSElzrFPcq3xqkR
                                                                            TLSH:7564063907D2509BCF961B3CF4D4733885FC8BE1E812DE89ABA56496EE65F4C68C0D84
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....[g.................,..........NJ... ...`....@.. ....................... ............@................................

                                                                            File Icon

                                                                            Icon Hash:f0e1d4f0d0e972c7

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x414a4e
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x675B0A8D [Thu Dec 12 16:08:45 2024 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x149fc0x4f.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x39ace.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x12a540x12c003b53034151724c6bb5d12a2825214a02False0.6008333333333333data6.023186836033415IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x160000x39ace0x39c00a1c284e57a05302e2b14571e86d2a59cFalse0.6284496753246753data6.6079751726274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x500000xc0x200ee2c0ef565c9bbdc0fdd5eb9cbfbfbacFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0x162b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.7278368794326241
                                                                            RT_ICON0x167180x988Device independent bitmap graphic, 24 x 48 x 32, image size 23040.6729508196721311
                                                                            RT_ICON0x170a00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.6308630393996247
                                                                            RT_ICON0x181480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.566597510373444
                                                                            RT_ICON0x1a6f00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.5219059990552669
                                                                            RT_ICON0x1e9180x5488Device independent bitmap graphic, 72 x 144 x 32, image size 207360.5018022181146026
                                                                            RT_ICON0x23da00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 368640.46457851587134746
                                                                            RT_ICON0x2d2480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.43163669703064
                                                                            RT_ICON0x3da700x119eaPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0001385617292504
                                                                            RT_GROUP_ICON0x4f45c0x84data0.7045454545454546
                                                                            RT_VERSION0x4f4e00x404data0.4173151750972763
                                                                            RT_MANIFEST0x4f8e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-12-14T18:51:19.441769+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1835710192.168.2.449765TCP
                                                                            2024-12-14T18:51:19.441769+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.1835710192.168.2.449765TCP
                                                                            2024-12-14T18:51:26.481046+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449765147.185.221.1835710TCP
                                                                            2024-12-14T18:51:26.990413+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1835710192.168.2.449765TCP
                                                                            2024-12-14T18:51:26.992028+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449765147.185.221.1835710TCP
                                                                            2024-12-14T18:51:40.713387+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1835710192.168.2.449765TCP
                                                                            2024-12-14T18:51:40.715272+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449765147.185.221.1835710TCP
                                                                            2024-12-14T18:51:49.441195+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1835710192.168.2.449765TCP
                                                                            2024-12-14T18:51:49.441195+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.1835710192.168.2.449765TCP
                                                                            2024-12-14T18:51:54.449133+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1835710192.168.2.449765TCP
                                                                            2024-12-14T18:51:54.450831+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449765147.185.221.1835710TCP
                                                                            2024-12-14T18:52:08.174682+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1835710192.168.2.449765TCP
                                                                            2024-12-14T18:52:08.177238+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449765147.185.221.1835710TCP
                                                                            2024-12-14T18:52:16.024135+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1835710192.168.2.449765TCP
                                                                            2024-12-14T18:52:16.024962+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449765147.185.221.1835710TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 14, 2024 18:50:14.375174999 CET4973080192.168.2.4208.95.112.1
                                                                            Dec 14, 2024 18:50:14.496552944 CET8049730208.95.112.1192.168.2.4
                                                                            Dec 14, 2024 18:50:14.499372959 CET4973080192.168.2.4208.95.112.1
                                                                            Dec 14, 2024 18:50:14.504626989 CET4973080192.168.2.4208.95.112.1
                                                                            Dec 14, 2024 18:50:14.627403021 CET8049730208.95.112.1192.168.2.4
                                                                            Dec 14, 2024 18:50:15.598782063 CET8049730208.95.112.1192.168.2.4
                                                                            Dec 14, 2024 18:50:15.653805971 CET4973080192.168.2.4208.95.112.1
                                                                            Dec 14, 2024 18:51:12.345117092 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:51:12.467026949 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:12.467178106 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:51:12.736763954 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:51:12.856559038 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:19.441768885 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:19.496893883 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:51:23.593544006 CET8049730208.95.112.1192.168.2.4
                                                                            Dec 14, 2024 18:51:23.593739033 CET4973080192.168.2.4208.95.112.1
                                                                            Dec 14, 2024 18:51:26.481045961 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:51:26.605742931 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:26.990412951 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:26.992027998 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:51:27.118520975 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:40.206437111 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:51:40.327548027 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:40.713387012 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:40.715271950 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:51:40.839257002 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:49.441195011 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:49.496782064 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:51:53.934437990 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:51:54.060844898 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:54.449132919 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:54.450830936 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:51:54.570894957 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:51:55.638638973 CET4973080192.168.2.4208.95.112.1
                                                                            Dec 14, 2024 18:51:55.761699915 CET8049730208.95.112.1192.168.2.4
                                                                            Dec 14, 2024 18:52:07.668811083 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:52:07.788650990 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:52:08.174681902 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:52:08.177237988 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:52:08.297044039 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:52:15.512603045 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:52:15.638736010 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:52:16.024135113 CET3571049765147.185.221.18192.168.2.4
                                                                            Dec 14, 2024 18:52:16.024961948 CET4976535710192.168.2.4147.185.221.18
                                                                            Dec 14, 2024 18:52:16.145129919 CET3571049765147.185.221.18192.168.2.4

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 14, 2024 18:50:14.202611923 CET6168953192.168.2.41.1.1.1
                                                                            Dec 14, 2024 18:50:14.346539974 CET53616891.1.1.1192.168.2.4
                                                                            Dec 14, 2024 18:51:12.062165976 CET5990653192.168.2.41.1.1.1
                                                                            Dec 14, 2024 18:51:12.320626020 CET53599061.1.1.1192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Dec 14, 2024 18:50:14.202611923 CET192.168.2.41.1.1.10x2c49Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                            Dec 14, 2024 18:51:12.062165976 CET192.168.2.41.1.1.10xfb77Standard query (0)hope-asia.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Dec 14, 2024 18:50:14.346539974 CET1.1.1.1192.168.2.40x2c49No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                            Dec 14, 2024 18:51:12.320626020 CET1.1.1.1192.168.2.40xfb77No error (0)hope-asia.gl.at.ply.gg147.185.221.18A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • ip-api.com

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449730208.95.112.1806640C:\Users\user\Desktop\7laJ4zKd8O.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 14, 2024 18:50:14.504626989 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                            Host: ip-api.com
                                                                            Connection: Keep-Alive
                                                                            Dec 14, 2024 18:50:15.598782063 CET175INHTTP/1.1 200 OK
                                                                            Date: Sat, 14 Dec 2024 17:50:15 GMT
                                                                            Content-Type: text/plain; charset=utf-8
                                                                            Content-Length: 6
                                                                            Access-Control-Allow-Origin: *
                                                                            X-Ttl: 60
                                                                            X-Rl: 44
                                                                            Data Raw: 66 61 6c 73 65 0a
                                                                            Data Ascii: false


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:12:50:06
                                                                            Start date:14/12/2024
                                                                            Path:C:\Users\user\Desktop\7laJ4zKd8O.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\Desktop\7laJ4zKd8O.exe"
                                                                            Imagebase:0xf00000
                                                                            File size:314'368 bytes
                                                                            MD5 hash:43BB1FBFD735DF983C0DBB50EDA6FFEF
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1750635709.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1750635709.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3005446682.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3005446682.000000000322D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3005446682.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:1
                                                                            Start time:12:50:15
                                                                            Start date:14/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7laJ4zKd8O.exe'
                                                                            Imagebase:0x7ff788560000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:2
                                                                            Start time:12:50:15
                                                                            Start date:14/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:4
                                                                            Start time:12:50:21
                                                                            Start date:14/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7laJ4zKd8O.exe'
                                                                            Imagebase:0x7ff788560000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:12:50:21
                                                                            Start date:14/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:9
                                                                            Start time:12:50:32
                                                                            Start date:14/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                                                                            Imagebase:0x7ff788560000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:10
                                                                            Start time:12:50:32
                                                                            Start date:14/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:11
                                                                            Start time:12:50:45
                                                                            Start date:14/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
                                                                            Imagebase:0x7ff788560000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:12
                                                                            Start time:12:50:45
                                                                            Start date:14/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:13
                                                                            Start time:12:51:09
                                                                            Start date:14/12/2024
                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"
                                                                            Imagebase:0x7ff71e800000
                                                                            File size:235'008 bytes
                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:14
                                                                            Start time:12:51:09
                                                                            Start date:14/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:15
                                                                            Start time:12:51:11
                                                                            Start date:14/12/2024
                                                                            Path:C:\Users\user\AppData\Roaming\System User.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                                            Imagebase:0x290000
                                                                            File size:314'368 bytes
                                                                            MD5 hash:43BB1FBFD735DF983C0DBB50EDA6FFEF
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: ditekSHen
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            • Detection: 76%, ReversingLabs
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:16
                                                                            Start time:12:51:19
                                                                            Start date:14/12/2024
                                                                            Path:C:\Users\user\AppData\Roaming\System User.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                                            Imagebase:0xd80000
                                                                            File size:314'368 bytes
                                                                            MD5 hash:43BB1FBFD735DF983C0DBB50EDA6FFEF
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:18
                                                                            Start time:12:51:27
                                                                            Start date:14/12/2024
                                                                            Path:C:\Users\user\AppData\Roaming\System User.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                                            Imagebase:0x160000
                                                                            File size:314'368 bytes
                                                                            MD5 hash:43BB1FBFD735DF983C0DBB50EDA6FFEF
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:19
                                                                            Start time:12:52:01
                                                                            Start date:14/12/2024
                                                                            Path:C:\Users\user\AppData\Roaming\System User.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                                            Imagebase:0x2a0000
                                                                            File size:314'368 bytes
                                                                            MD5 hash:43BB1FBFD735DF983C0DBB50EDA6FFEF
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:21.6%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:11.1%
                                                                              Total number of Nodes:36
                                                                              Total number of Limit Nodes:4
                                                                              execution_graph 6285 7ffd9b70f651 6286 7ffd9b70f66f 6285->6286 6288 7ffd9b70f72f 6286->6288 6289 7ffd9b70bd30 6286->6289 6290 7ffd9b70bd39 6289->6290 6295 7ffd9b709858 6290->6295 6296 7ffd9b70983f RtlSetProcessIsCritical 6295->6296 6298 7ffd9b709962 6296->6298 6299 7ffd9b709868 6298->6299 6300 7ffd9b70983f 6299->6300 6300->6299 6301 7ffd9b709902 RtlSetProcessIsCritical 6300->6301 6302 7ffd9b709962 6301->6302 6302->6288 6316 7ffd9b708bf2 6317 7ffd9b708bfc RtlSetProcessIsCritical 6316->6317 6320 7ffd9b708b19 6316->6320 6319 7ffd9b709962 6317->6319 6303 7ffd9b70af14 6305 7ffd9b70af1d 6303->6305 6304 7ffd9b70aed7 6305->6304 6312 7ffd9b709838 6305->6312 6307 7ffd9b70afd5 6308 7ffd9b709858 RtlSetProcessIsCritical 6307->6308 6311 7ffd9b70afd9 6307->6311 6309 7ffd9b70b00a 6308->6309 6310 7ffd9b709868 RtlSetProcessIsCritical 6309->6310 6310->6311 6313 7ffd9b70983f RtlSetProcessIsCritical 6312->6313 6315 7ffd9b709962 6313->6315 6315->6307 6275 7ffd9b70a2f8 6276 7ffd9b70a301 6275->6276 6277 7ffd9b70a2b7 6276->6277 6278 7ffd9b70a392 SetWindowsHookExW 6276->6278 6279 7ffd9b70a3d1 6278->6279 6280 7ffd9b707a81 6281 7ffd9b707a37 6280->6281 6282 7ffd9b707a9c CheckRemoteDebuggerPresent 6280->6282 6284 7ffd9b707b3f 6282->6284

                                                                              Executed Functions

                                                                              Function 00007FFD9B70E374 Relevance: 2.2, Strings: 1, Instructions: 950COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 36 7ffd9b70e374-7ffd9b70e380 call 7ffd9b700a40 38 7ffd9b70e385-7ffd9b70e3c5 36->38 42 7ffd9b70e3c7-7ffd9b70e3e4 38->42 43 7ffd9b70e43b 38->43 44 7ffd9b70e440-7ffd9b70e455 42->44 46 7ffd9b70e3e6-7ffd9b70e436 call 7ffd9b70d290 42->46 43->44 48 7ffd9b70e473-7ffd9b70e488 44->48 49 7ffd9b70e457-7ffd9b70e46e call 7ffd9b701228 call 7ffd9b700a50 44->49 69 7ffd9b70f07b-7ffd9b70f089 46->69 55 7ffd9b70e4bf-7ffd9b70e4d4 48->55 56 7ffd9b70e48a-7ffd9b70e4ba call 7ffd9b701228 48->56 49->69 65 7ffd9b70e4d6-7ffd9b70e4e2 call 7ffd9b70b558 55->65 66 7ffd9b70e4e7-7ffd9b70e4fc 55->66 56->69 65->69 74 7ffd9b70e4fe-7ffd9b70e501 66->74 75 7ffd9b70e542-7ffd9b70e557 66->75 74->43 77 7ffd9b70e507-7ffd9b70e512 74->77 81 7ffd9b70e598-7ffd9b70e5ad 75->81 82 7ffd9b70e559-7ffd9b70e55c 75->82 77->43 79 7ffd9b70e518-7ffd9b70e53d call 7ffd9b700a28 call 7ffd9b70b558 77->79 79->69 88 7ffd9b70e5af-7ffd9b70e5b2 81->88 89 7ffd9b70e5da-7ffd9b70e5ef 81->89 82->43 83 7ffd9b70e562-7ffd9b70e56d 82->83 83->43 86 7ffd9b70e573-7ffd9b70e593 call 7ffd9b700a28 call 7ffd9b70b328 83->86 86->69 88->43 92 7ffd9b70e5b8-7ffd9b70e5d5 call 7ffd9b700a28 call 7ffd9b70b330 88->92 99 7ffd9b70e5f5-7ffd9b70e641 call 7ffd9b7009b0 89->99 100 7ffd9b70e6c7-7ffd9b70e6dc 89->100 92->69 99->43 133 7ffd9b70e647-7ffd9b70e67f call 7ffd9b707700 99->133 108 7ffd9b70e6de-7ffd9b70e6e1 100->108 109 7ffd9b70e6fb-7ffd9b70e710 100->109 108->43 112 7ffd9b70e6e7-7ffd9b70e6f6 call 7ffd9b70b308 108->112 116 7ffd9b70e732-7ffd9b70e747 109->116 117 7ffd9b70e712-7ffd9b70e715 109->117 112->69 124 7ffd9b70e767-7ffd9b70e77c 116->124 125 7ffd9b70e749-7ffd9b70e762 116->125 117->43 119 7ffd9b70e71b-7ffd9b70e72d call 7ffd9b70b308 117->119 119->69 130 7ffd9b70e77e-7ffd9b70e797 124->130 131 7ffd9b70e79c-7ffd9b70e7b1 124->131 125->69 130->69 136 7ffd9b70e7d1-7ffd9b70e7e6 131->136 137 7ffd9b70e7b3-7ffd9b70e7cc 131->137 133->43 149 7ffd9b70e685-7ffd9b70e6c2 call 7ffd9b70b588 133->149 142 7ffd9b70e80f-7ffd9b70e824 136->142 143 7ffd9b70e7e8-7ffd9b70e7eb 136->143 137->69 150 7ffd9b70e8c4-7ffd9b70e8d9 142->150 151 7ffd9b70e82a-7ffd9b70e879 142->151 143->43 145 7ffd9b70e7f1-7ffd9b70e80a 143->145 145->69 149->69 159 7ffd9b70e8f1-7ffd9b70e906 150->159 160 7ffd9b70e8db-7ffd9b70e8ec 150->160 165 7ffd9b70e9a6-7ffd9b70e9bb 159->165 166 7ffd9b70e90c-7ffd9b70e932 159->166 160->69 173 7ffd9b70e9bd-7ffd9b70e9ce 165->173 174 7ffd9b70e9d3-7ffd9b70e9e8 165->174 175 7ffd9b70e933-7ffd9b70e95b 166->175 173->69 179 7ffd9b70ea1a-7ffd9b70ea2f 174->179 180 7ffd9b70e9ea-7ffd9b70ea15 call 7ffd9b700d40 call 7ffd9b70d290 174->180 188 7ffd9b70e95d-7ffd9b70e984 175->188 186 7ffd9b70ea35-7ffd9b70eb07 call 7ffd9b700d40 call 7ffd9b70d290 179->186 187 7ffd9b70eb0c-7ffd9b70eb21 179->187 180->69 186->69 195 7ffd9b70eb27-7ffd9b70eb2a 187->195 196 7ffd9b70ebe8-7ffd9b70ebfd 187->196 188->43 201 7ffd9b70e98a-7ffd9b70e9a1 188->201 198 7ffd9b70ebdd-7ffd9b70ebe2 195->198 199 7ffd9b70eb30-7ffd9b70eb3b 195->199 206 7ffd9b70ebff-7ffd9b70ec0c call 7ffd9b70d290 196->206 207 7ffd9b70ec11-7ffd9b70ec26 196->207 209 7ffd9b70ebe3 198->209 199->198 203 7ffd9b70eb41-7ffd9b70ebdb call 7ffd9b700d40 call 7ffd9b70d290 199->203 201->69 203->209 206->69 217 7ffd9b70ec9d-7ffd9b70ecb2 207->217 218 7ffd9b70ec28-7ffd9b70ec39 207->218 209->69 225 7ffd9b70ecf2-7ffd9b70ed07 217->225 226 7ffd9b70ecb4-7ffd9b70ecb7 217->226 218->43 223 7ffd9b70ec3f-7ffd9b70ec4f call 7ffd9b700a20 218->223 236 7ffd9b70ec51-7ffd9b70ec76 call 7ffd9b70d290 223->236 237 7ffd9b70ec7b-7ffd9b70ec98 call 7ffd9b700a20 call 7ffd9b700a28 call 7ffd9b70b2e0 223->237 234 7ffd9b70ed4d-7ffd9b70ed62 225->234 235 7ffd9b70ed09-7ffd9b70ed48 call 7ffd9b708f50 call 7ffd9b70bd00 call 7ffd9b70b2e8 225->235 226->43 229 7ffd9b70ecbd-7ffd9b70eced call 7ffd9b700a18 call 7ffd9b700a28 call 7ffd9b70b2e0 226->229 229->69 254 7ffd9b70ee02-7ffd9b70ee17 234->254 255 7ffd9b70ed68-7ffd9b70edfd call 7ffd9b700d40 call 7ffd9b70d290 234->255 235->69 236->69 237->69 254->69 268 7ffd9b70ee1d-7ffd9b70ee24 254->268 255->69 274 7ffd9b70ee26-7ffd9b70ee30 call 7ffd9b70b598 268->274 275 7ffd9b70ee37-7ffd9b70ee68 268->275 274->275 275->69
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3020757993.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b700000_7laJ4zKd8O.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Q_H
                                                                              • API String ID: 0-50712008
                                                                              • Opcode ID: e4921deaf0d8d2345c5cf8383ac3e743ff6bcd3c68b84ef601c58ff74823f550
                                                                              • Instruction ID: 520b0d340cb4e7f0e2e8df5a33ff3fe6bc009e440b60aeb4af8201dcd3b932c2
                                                                              • Opcode Fuzzy Hash: e4921deaf0d8d2345c5cf8383ac3e743ff6bcd3c68b84ef601c58ff74823f550
                                                                              • Instruction Fuzzy Hash: 3B626330F1D60E4BEBA8F7B884A5A7972D2EF98304F914679D05DC72EADD2CAD018741
                                                                              Function 00007FFD9B701719 Relevance: 2.0, Strings: 1, Instructions: 705COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3020757993.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b700000_7laJ4zKd8O.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: CAN_^
                                                                              • API String ID: 0-3098826533
                                                                              • Opcode ID: b71115c6c518cd9856a3216b02bf575746d5010e6c4484bc362d2b3aa65ef374
                                                                              • Instruction ID: 0380532cc6e3e1d80c345c780388ee4b3c4a60e52035237edf0b426f0a9c74a8
                                                                              • Opcode Fuzzy Hash: b71115c6c518cd9856a3216b02bf575746d5010e6c4484bc362d2b3aa65ef374
                                                                              • Instruction Fuzzy Hash: 0F22E661B19A4D4FE7A8FB7884756B977D2FF99304F4405BAE04EC32EACD28AD018741
                                                                              Function 00007FFD9B707A81 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 459 7ffd9b707a81-7ffd9b707a9a 460 7ffd9b707a9c-7ffd9b707b3d CheckRemoteDebuggerPresent 459->460 461 7ffd9b707a37-7ffd9b707a45 459->461 465 7ffd9b707b45-7ffd9b707b88 460->465 466 7ffd9b707b3f 460->466 466->465
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3020757993.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b700000_7laJ4zKd8O.jbxd
                                                                              Similarity
                                                                              • API ID: CheckDebuggerPresentRemote
                                                                              • String ID:
                                                                              • API String ID: 3662101638-0
                                                                              • Opcode ID: e875fea829d81af0334fb619a55a7c3b9e8bb702c6989681cbb7f979ddf1c090
                                                                              • Instruction ID: dab8cc8381bd96893900c953d865368586ac2c1b741b4301b22a9dc8830d5fc7
                                                                              • Opcode Fuzzy Hash: e875fea829d81af0334fb619a55a7c3b9e8bb702c6989681cbb7f979ddf1c090
                                                                              • Instruction Fuzzy Hash: 0241103190875C8FCB58DF98C8866E97BE0FF65311F0542ABD489D7292DB34A906CB91
                                                                              Function 00007FFD9B7010A5 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 569 7ffd9b7010a5-7ffd9b7010d9 574 7ffd9b7010db-7ffd9b70110d 569->574 575 7ffd9b70110e-7ffd9b7011ce 569->575 574->575 587 7ffd9b7011d5-7ffd9b7011d6 575->587 588 7ffd9b7011d0 575->588 589 7ffd9b7011dc-7ffd9b7011de 587->589 590 7ffd9b7011d8 587->590 588->587 591 7ffd9b7011e3-7ffd9b7011e6 589->591 592 7ffd9b7011e0 589->592 590->589 593 7ffd9b7011ea-7ffd9b7011ee 591->593 594 7ffd9b7011e8 591->594 592->591 595 7ffd9b7011f1-7ffd9b701226 593->595 596 7ffd9b7011f0 593->596 594->593 596->595
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3020757993.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b700000_7laJ4zKd8O.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: CAN_^
                                                                              • API String ID: 0-3098826533
                                                                              • Opcode ID: 1f3ca943c5cce29ec0759f5d587c4a7d091070f7491a9f3b72b8b2e95bdc055b
                                                                              • Instruction ID: 8ba3a4c6dd6b6b7d8ff4bb410ee8c566a55d3e494dad438d1fecb0a90392cc8b
                                                                              • Opcode Fuzzy Hash: 1f3ca943c5cce29ec0759f5d587c4a7d091070f7491a9f3b72b8b2e95bdc055b
                                                                              • Instruction Fuzzy Hash: 76512527B0C67246E32677FD74A19EB7BA0DF4237574841B7D28E8E4D78C09284687D2
                                                                              Function 00007FFD9B7060C6 Relevance: .5, Instructions: 492COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3020757993.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b700000_7laJ4zKd8O.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c3422cacb41bc23eb56074ed2533735f7793ddcccaf78f691acf9b1f69d4178f
                                                                              • Instruction ID: b08bd7435e9cc56153923967fd44d3188c3a6af8849c1e05cb6e80170927165f
                                                                              • Opcode Fuzzy Hash: c3422cacb41bc23eb56074ed2533735f7793ddcccaf78f691acf9b1f69d4178f
                                                                              • Instruction Fuzzy Hash: 2EF19530A09A4E4FEBA8DF28C8657E977D1FF54310F04426AE84DC76A5DB74E9418B82
                                                                              Function 00007FFD9B706E72 Relevance: .5, Instructions: 475COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3020757993.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b700000_7laJ4zKd8O.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ba9ad7138615c78f16cc67344bedfe52fbaf3c3c15be2f3b8efed6045116b14f
                                                                              • Instruction ID: 6ebbcd45cd7686ac9b9c778e2c70f66a12a0f9426e1d4f692f8f4cabe8457a26
                                                                              • Opcode Fuzzy Hash: ba9ad7138615c78f16cc67344bedfe52fbaf3c3c15be2f3b8efed6045116b14f
                                                                              • Instruction Fuzzy Hash: 8EF1A330A09A4D8FEBA8DF28C8657E977D1FB54310F04436AD84DC72A5DA74A9458B81
                                                                              Function 00007FFD9B7020F1 Relevance: .2, Instructions: 210COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3020757993.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b700000_7laJ4zKd8O.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2cdfb06eca7b20e6044b510a7d9e9ae9c0156a14ad517521af8b7de087fb582a
                                                                              • Instruction ID: cf200d25aa7f17dabd1cc2da59e7f808e3cbbab96452ad4ffe8626392780549a
                                                                              • Opcode Fuzzy Hash: 2cdfb06eca7b20e6044b510a7d9e9ae9c0156a14ad517521af8b7de087fb582a
                                                                              • Instruction Fuzzy Hash: 0E51EB11B0E6C94FD79AABB85874675BFE5DF8B229B0801FBE0C9C61E7DD481806C342
                                                                              Function 00007FFD9B708BF2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3020757993.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b700000_7laJ4zKd8O.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalProcess
                                                                              • String ID: M_^$M_^
                                                                              • API String ID: 2695349919-1402490971
                                                                              • Opcode ID: 93ddf90fa457b02480438e13449a02104cb718f5360f15b7cded74991c28bf95
                                                                              • Instruction ID: bfa63e7652403fe0e8bbf824be1255512207cd82906eff12cb07eb1331e0ef41
                                                                              • Opcode Fuzzy Hash: 93ddf90fa457b02480438e13449a02104cb718f5360f15b7cded74991c28bf95
                                                                              • Instruction Fuzzy Hash: 3941297190E7488FEB29DB9C88696B97FF0EF65310F0402BFD0D9C35A2EA2469058741
                                                                              Function 00007FFD9B709838 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 393 7ffd9b709838-7ffd9b70983e 394 7ffd9b70983f-7ffd9b709846 393->394 396 7ffd9b709848-7ffd9b7098a2 394->396 396->394 406 7ffd9b7098a4-7ffd9b7098aa 396->406 408 7ffd9b709847 406->408 409 7ffd9b7098ac-7ffd9b709960 RtlSetProcessIsCritical 406->409 408->396 413 7ffd9b709962 409->413 414 7ffd9b709968-7ffd9b70999d 409->414 413->414
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3020757993.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b700000_7laJ4zKd8O.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalProcess
                                                                              • String ID:
                                                                              • API String ID: 2695349919-0
                                                                              • Opcode ID: 55a01bb54f9e2bbec33d486021f137a2056bfa093bf78898b35135621d5d5047
                                                                              • Instruction ID: 45f62ff731942e5ce1d180e581f28176f3b35aca80a2f406d4015caf13258f3b
                                                                              • Opcode Fuzzy Hash: 55a01bb54f9e2bbec33d486021f137a2056bfa093bf78898b35135621d5d5047
                                                                              • Instruction Fuzzy Hash: C251287290E7984FE7298B9C98596B97BE0FF55700F04016FE0D9D32E3DA24AA45C741
                                                                              Function 00007FFD9B70A2F8 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 416 7ffd9b70a2f8-7ffd9b70a2ff 417 7ffd9b70a301-7ffd9b70a309 416->417 418 7ffd9b70a30a-7ffd9b70a31a 416->418 417->418 419 7ffd9b70a2b7-7ffd9b70a2c4 418->419 420 7ffd9b70a31c-7ffd9b70a37d 418->420 424 7ffd9b70a2c6 419->424 425 7ffd9b70a2cc-7ffd9b70a2f3 419->425 428 7ffd9b70a383-7ffd9b70a390 420->428 429 7ffd9b70a409-7ffd9b70a40d 420->429 424->425 430 7ffd9b70a392-7ffd9b70a3cf SetWindowsHookExW 428->430 429->430 431 7ffd9b70a3d1 430->431 432 7ffd9b70a3d7-7ffd9b70a408 430->432 431->432
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3020757993.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b700000_7laJ4zKd8O.jbxd
                                                                              Similarity
                                                                              • API ID: HookWindows
                                                                              • String ID:
                                                                              • API String ID: 2559412058-0
                                                                              • Opcode ID: c348c444f181634b86bfea5eaad19f535d2b29eef8ea1207e6653f9b01b9a6cf
                                                                              • Instruction ID: 1b2979ff71278c9864b29a808522b08262404ef4e6b747f6907b2b37ad3ce73f
                                                                              • Opcode Fuzzy Hash: c348c444f181634b86bfea5eaad19f535d2b29eef8ea1207e6653f9b01b9a6cf
                                                                              • Instruction Fuzzy Hash: C641F631A0CA5D8FDB58DB6C98566F9BBE0EF59321F00427FD059C31A2DE65A812CB81
                                                                              Function 00007FFD9B709858 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 436 7ffd9b709858-7ffd9b70985f 437 7ffd9b709861-7ffd9b7098a2 436->437 444 7ffd9b70983f-7ffd9b709846 437->444 445 7ffd9b7098a4-7ffd9b7098aa 437->445 450 7ffd9b709848-7ffd9b70985f 444->450 448 7ffd9b709847 445->448 449 7ffd9b7098ac-7ffd9b709960 RtlSetProcessIsCritical 445->449 448->450 456 7ffd9b709962 449->456 457 7ffd9b709968-7ffd9b70999d 449->457 450->437 456->457
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.3020757993.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ffd9b700000_7laJ4zKd8O.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalProcess
                                                                              • String ID:
                                                                              • API String ID: 2695349919-0
                                                                              • Opcode ID: 09285ddf304d7690d395b6c1ca6b12a662c419e0440d9e8680eddfa8a4a66165
                                                                              • Instruction ID: a014973ccec62f4fccad73739e6aaff96c2dbaed65a55ce3e56dd2ee6b9123d3
                                                                              • Opcode Fuzzy Hash: 09285ddf304d7690d395b6c1ca6b12a662c419e0440d9e8680eddfa8a4a66165
                                                                              • Instruction Fuzzy Hash: 0841273290DB984FE729CB9C98596F97BE0EF55310F04016FE0D9D32E3DA24A945C751

                                                                              Executed Functions

                                                                              Function 00007FFD9B6F644D Relevance: .7, Instructions: 721COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1894319208.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b6f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a9da6c87285a52ba037feab78149a146f3f42b723e1df80fffd2134390f092ee
                                                                              • Instruction ID: 083087076f2e24f7b48ab767f4aa792390b1ff555cafc84a16dfa7d233529698
                                                                              • Opcode Fuzzy Hash: a9da6c87285a52ba037feab78149a146f3f42b723e1df80fffd2134390f092ee
                                                                              • Instruction Fuzzy Hash: 6CD17F31B08A4D8FDF94DF58C495AA97BE1FF68300F15416AD419D72A5CB34F981CB81
                                                                              Function 00007FFD9B7C6660 Relevance: .4, Instructions: 401COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1894756351.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b7c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4d209881a1a2d50129b079cdd1b4f6e8ad9344290c4034699f2c5cd5abcb9b83
                                                                              • Instruction ID: ace622bd7ca01fa5da7d8a9f18cc82386bbabfd80b82413ab232d2cbb54a16e4
                                                                              • Opcode Fuzzy Hash: 4d209881a1a2d50129b079cdd1b4f6e8ad9344290c4034699f2c5cd5abcb9b83
                                                                              • Instruction Fuzzy Hash: 81C14732B0EB8E1FEBA4BB6848A55B97BD0EF25314B1902BED45DC71F3D918E8018341
                                                                              Function 00007FFD9B6FA129 Relevance: .2, Instructions: 215COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1894319208.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b6f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: af7131329ae117c19146d20b817c4f09c751d483454c325bba334d6461c4a061
                                                                              • Instruction ID: 6f97b19e4f13dd994fa082d93b9dc993a485cd6d5daca070287749c6dd285336
                                                                              • Opcode Fuzzy Hash: af7131329ae117c19146d20b817c4f09c751d483454c325bba334d6461c4a061
                                                                              • Instruction Fuzzy Hash: 0EF0E531908A8C8FCB55DF2888294E47FF0FF25301B0501ABE44DC7071DB219A08CBC2
                                                                              Function 00007FFD9B6F9758 Relevance: .1, Instructions: 131COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1894319208.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b6f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9c0ea5a7fb4a687b4c8052f9ceb51bfdb445aaf23a2811e846c5411e5ed84d2e
                                                                              • Instruction ID: c23062b4244cfcc531a15dbb63719be048ed89c80c048d9837b507e7d62a794e
                                                                              • Opcode Fuzzy Hash: 9c0ea5a7fb4a687b4c8052f9ceb51bfdb445aaf23a2811e846c5411e5ed84d2e
                                                                              • Instruction Fuzzy Hash: E931F931A1DB4C4FDB1C9F5C984A6A97BE0FBA5310F10412FE45993292CA20B955CBC2
                                                                              Function 00007FFD9B5DE40A Relevance: .1, Instructions: 130COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1893866737.00007FFD9B5DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5DD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b5dd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4c739f8d96f82f0943349090c3412ae5fc9fe7ecd2db0a808bec0a596a119f6c
                                                                              • Instruction ID: cd3270256a658206d89defd44ed4922822f8eea887444720a459dffda5f9f730
                                                                              • Opcode Fuzzy Hash: 4c739f8d96f82f0943349090c3412ae5fc9fe7ecd2db0a808bec0a596a119f6c
                                                                              • Instruction Fuzzy Hash: 7441D07250FBC44FDB97AB3898655513FB0EF53250B0A46EBC088CF1A3E528A909C762
                                                                              Function 00007FFD9B6FA62C Relevance: .1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1894319208.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b6f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 522a07e09be5963a22f287836edf2d4be223340dbadd6583cee2603649e03ec3
                                                                              • Instruction ID: 3021e7c240088f4bad3efa36c884405cecc874c53e331158cb9b11c687de41a9
                                                                              • Opcode Fuzzy Hash: 522a07e09be5963a22f287836edf2d4be223340dbadd6583cee2603649e03ec3
                                                                              • Instruction Fuzzy Hash: 1C21283090D74C4FDB59DFAC984A7E97FF0EB56321F04416BD048C3162CA74A406CB92
                                                                              Function 00007FFD9B6F33B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1894319208.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b6f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction ID: aeccee5b562ea5463f868d677630b07246dd430228e5e68190c4d2012b6ba0ab
                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction Fuzzy Hash: 8501A73120CB0C4FD748EF0CE051AA5B7E0FB85364F10056DE58AC36A5DB32E882CB41
                                                                              Function 00007FFD9B7C414D Relevance: .0, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1894756351.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b7c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e088b48f0fc8ea1fdeef957784ea9df10cedef653184541d19bc518e674557db
                                                                              • Instruction ID: e94c7cdea61946fd8688d98f09369ddfa2d58307aa65622cc54fa6d034428f39
                                                                              • Opcode Fuzzy Hash: e088b48f0fc8ea1fdeef957784ea9df10cedef653184541d19bc518e674557db
                                                                              • Instruction Fuzzy Hash: 45F0B432B0EA098FD768EA4CE4518E473E0EF55320B1600BEE09DC71B3CA25EC40C741
                                                                              Function 00007FFD9B7C4400 Relevance: .0, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1894756351.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b7c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f3aca2d56e572220def85f0ae341a8a845a237d25441f7988e55bb5647cf3fee
                                                                              • Instruction ID: 90fe81290a2a96dea9bb3d16deaaabec5bd19d2ef83596e88c0c7cded0865f3e
                                                                              • Opcode Fuzzy Hash: f3aca2d56e572220def85f0ae341a8a845a237d25441f7988e55bb5647cf3fee
                                                                              • Instruction Fuzzy Hash: 4CF0BE32B0E6498FDB68EA4CE4608A877E0FF0532071600BAE05DC71B3CA25ED40C740
                                                                              Function 00007FFD9B7C41D1 Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1894756351.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b7c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction ID: 52608d1712e7bd0336d50187b917c3a8eb4d52ee29c1a5fda26bda90e85e8bec
                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction Fuzzy Hash: 34E0123170C9089FD678EA4CE0519F973E1EB98331B1212BFD14EC7671C621ED518B80

                                                                              Non-executed Functions

                                                                              Function 00007FFD9B6F8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1894319208.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b6f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: N_^4$N_^7$N_^F$N_^J
                                                                              • API String ID: 0-3508309026
                                                                              • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                              • Instruction ID: 483319d31c5b65ba4acc3930877de182ff24349640b4eb8931b3c2a714fcf4b2
                                                                              • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                              • Instruction Fuzzy Hash: 6B213B777080264EE3067BBCBC649DA3B90DF9423478501F2D2A9CF183ED18748686C2

                                                                              Executed Functions

                                                                              Function 00007FFD9B7F6660 Relevance: .4, Instructions: 400COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1997333105.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 53834289c5f59c28e75a6b1bbdffbc0671187d4cd93125d658815c56969eaf2f
                                                                              • Instruction ID: 84c84cad84632775300269bdf22c102bebbc4e10dcde540117bd2c8c7816c781
                                                                              • Opcode Fuzzy Hash: 53834289c5f59c28e75a6b1bbdffbc0671187d4cd93125d658815c56969eaf2f
                                                                              • Instruction Fuzzy Hash: B8C12432B0EB8E0FEBA5ABA848655B97F91EF15314B0902BED45DC70F3D918E900C381
                                                                              Function 00007FFD9B72A0E0 Relevance: .3, Instructions: 266COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1996661720.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b720000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 61fc8b310adf1709878d7de42787362b32876a49f3d2cd999f49aef2e232d3d5
                                                                              • Instruction ID: d2f9f290f791d90cef1e8b0095d2998b57bf06aed32069241beb159b2ee9319f
                                                                              • Opcode Fuzzy Hash: 61fc8b310adf1709878d7de42787362b32876a49f3d2cd999f49aef2e232d3d5
                                                                              • Instruction Fuzzy Hash: 0D216A66A0F7CE4FD753AB689C750D47FB0EF63214B0A02E7C088CB0B3D91959098792
                                                                              Function 00007FFD9B7F4073 Relevance: .2, Instructions: 184COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1997333105.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 509df4221f61cc063c6f6f10bdbe7b3e5d915cac1cc00c966633131a3704edee
                                                                              • Instruction ID: c417a9f7eeb6754b816052cc9224298875e263ad6993d8ace99533e23d4b9f7d
                                                                              • Opcode Fuzzy Hash: 509df4221f61cc063c6f6f10bdbe7b3e5d915cac1cc00c966633131a3704edee
                                                                              • Instruction Fuzzy Hash: 97512522B0EB4E0FE7A99A5D44626747BD2EF94320F5902BEC15DC71B7DE14EC058385
                                                                              Function 00007FFD9B7F4370 Relevance: .1, Instructions: 148COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1997333105.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fe0de6ae05859f2aa4b396d13ee8e68732e101cd43d2ec23001a7a1c6bcda475
                                                                              • Instruction ID: 6cfb4087538a0580fbfe062e115d872b84991b7f13fc8fd0c0ae2bdf07d943f7
                                                                              • Opcode Fuzzy Hash: fe0de6ae05859f2aa4b396d13ee8e68732e101cd43d2ec23001a7a1c6bcda475
                                                                              • Instruction Fuzzy Hash: 51412532B0EB4D4FEBA9D66C94605B47BD1EF80320B0902BED05DD70B7EA14AD118385
                                                                              Function 00007FFD9B729770 Relevance: .1, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1996661720.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b720000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 315e4a2d62a5fd9bb7bdf51f9739a332463d2494b4b2c9c8761704676b09aac0
                                                                              • Instruction ID: 0c0b5df222696b23149234fb66bb769a2ea0d2f58732310ac58a1fbd7c1d0ac1
                                                                              • Opcode Fuzzy Hash: 315e4a2d62a5fd9bb7bdf51f9739a332463d2494b4b2c9c8761704676b09aac0
                                                                              • Instruction Fuzzy Hash: 36411B3190DB8C4FDB189F5C9C0A6F97BE0FB95710F04426FE44993252CA74A915CBC2
                                                                              Function 00007FFD9B60E540 Relevance: .1, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1995857933.00007FFD9B60D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B60D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b60d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7812924f62250207578ff7acb1e290d72c8fd7f636c4d6c1e52f980478f56b41
                                                                              • Instruction ID: a699b61ee6aac330d8b3b93365aff867a64eba8df49c85d8ce7ae772d59103a3
                                                                              • Opcode Fuzzy Hash: 7812924f62250207578ff7acb1e290d72c8fd7f636c4d6c1e52f980478f56b41
                                                                              • Instruction Fuzzy Hash: 9041237180EBC44FE7578B2A98519523FF0EF53220B1A06DFD0D8CB1A7D625A846C792
                                                                              Function 00007FFD9B72A64C Relevance: .1, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1996661720.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b720000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4d1c492fbfb12d0810f46ee8f30cfa42d228279cfa56005ed7a356d4026a4456
                                                                              • Instruction ID: 463b3788aba0698c30c6b43ad6a33e44412e87c7cf90204b8a8db8fd8782ed57
                                                                              • Opcode Fuzzy Hash: 4d1c492fbfb12d0810f46ee8f30cfa42d228279cfa56005ed7a356d4026a4456
                                                                              • Instruction Fuzzy Hash: E5210A3190CB4C4FEB59DFAC984A7E97FF0EB56321F04426BD049C3162DA74A85ACB91
                                                                              Function 00007FFD9B7F40BF Relevance: .1, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1997333105.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 84e63ddfe4ad90b7a9b384a18504d2bd7dcd8cbfaba9cd025ed49af4267e5da7
                                                                              • Instruction ID: d9f78e2584b86e05c7d1d080f3754fc3b2f683a01b28a0f1f57a1ee5aee3fe2e
                                                                              • Opcode Fuzzy Hash: 84e63ddfe4ad90b7a9b384a18504d2bd7dcd8cbfaba9cd025ed49af4267e5da7
                                                                              • Instruction Fuzzy Hash: B021B122B0EB8E4FE7B58A5944A25747AD2EF61310F5A02BED05DC71B2DE18ED048389
                                                                              Function 00007FFD9B7F43BC Relevance: .1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1997333105.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e7ea54bc09413523a316084df8b5d5cabb1f086d36be248dbfc5da49ff024af9
                                                                              • Instruction ID: eaae91dd37f763e2a860ec3cc58cd80b4d8d0968084d8ea7aaae72176d5d56d1
                                                                              • Opcode Fuzzy Hash: e7ea54bc09413523a316084df8b5d5cabb1f086d36be248dbfc5da49ff024af9
                                                                              • Instruction Fuzzy Hash: A111E332F0F6494FEBB5D75984B45B47AD1EF40320B5A02BED06DD70B7DA19AD008385
                                                                              Function 00007FFD9B7233B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1996661720.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b720000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                              • Instruction ID: e17d85184fad31c13ada86d5426208b1c41bb9779e976ed96b09a15e38c53ac4
                                                                              • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                              • Instruction Fuzzy Hash: 0501A73020CB0C4FD748EF0CE051AA5B3E0FB85324F10056DE58AC36A5DB32E882CB41

                                                                              Non-executed Functions

                                                                              Function 00007FFD9B728BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1996661720.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffd9b720000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                                                              • API String ID: 0-2350917820
                                                                              • Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                                                              • Instruction ID: 3b4a98d4ae508f18ff5c01a361595da309660d96af74991616c8c0255fb60f13
                                                                              • Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                                                              • Instruction Fuzzy Hash: CB212673B085165ADB0637BCB8919D977E0DF5437838502F3E028CF193DD1AA8CB8681

                                                                              Executed Functions

                                                                              Function 00007FFD9B6E644D Relevance: .7, Instructions: 724COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2131724440.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b6e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aa57d6fb3eeae85c485ebb5347491d1e38ddb16a12d3f849680a5a2884f07e5f
                                                                              • Instruction ID: d433d7c56c8a41b527f3e85469a83f35d325bd56b5493ea5ae34e1ec550d89fe
                                                                              • Opcode Fuzzy Hash: aa57d6fb3eeae85c485ebb5347491d1e38ddb16a12d3f849680a5a2884f07e5f
                                                                              • Instruction Fuzzy Hash: 5ED18031A18A4D8FDF98DF58C494AAD7BE1FF68300F1541AAD419DB2A6CB34F851CB81
                                                                              Function 00007FFD9B7B6660 Relevance: .4, Instructions: 398COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2132614808.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b7b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d15f79307eaf6091b202ac6dfd4bdc490bedc5ed33ce449c4171e226ad9f3a6d
                                                                              • Instruction ID: 846ec89c02e62598182aedca59d768bf77345902879cf1a86a1028a80aa35a1e
                                                                              • Opcode Fuzzy Hash: d15f79307eaf6091b202ac6dfd4bdc490bedc5ed33ce449c4171e226ad9f3a6d
                                                                              • Instruction Fuzzy Hash: 76C14632B0FB9E0FEBA4AB6848655B9BB91EF15314B0902BED15DC70F7D918ED018B41
                                                                              Function 00007FFD9B6E9D38 Relevance: .2, Instructions: 218COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2131724440.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b6e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 94ba575aa18533a64d03f917b8073be9706ce32ac343b33667ef29f1358b249e
                                                                              • Instruction ID: 27ebaa624be189f7ed355df80715bc909c1508c7119c4be1930e908b5adcb35a
                                                                              • Opcode Fuzzy Hash: 94ba575aa18533a64d03f917b8073be9706ce32ac343b33667ef29f1358b249e
                                                                              • Instruction Fuzzy Hash: 64F0E230818A8C4FDB64EF1888195A87FE0FF25300F0101ABE40ECB161DB24A918C7C6
                                                                              Function 00007FFD9B6E9758 Relevance: .1, Instructions: 128COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2131724440.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b6e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 94b1b9ee026d45b75afd45a87addc3820139564edf613e93eb786551942566cb
                                                                              • Instruction ID: 8b847b386442f8f57aaf49f2b9e6682cb41834a84eadf0290117aef69a829d26
                                                                              • Opcode Fuzzy Hash: 94b1b9ee026d45b75afd45a87addc3820139564edf613e93eb786551942566cb
                                                                              • Instruction Fuzzy Hash: 9831D93191DB4C8FDB189F5C984A6AD7BE1FBA5310F00412FE45993292CB30A955CBC2
                                                                              Function 00007FFD9B5CEB80 Relevance: .1, Instructions: 128COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2130785358.00007FFD9B5CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b5cd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5353d18f3b4d7ca821c9cc9f9b17cafe51f2d1b51bea5094e67f7ae4a19e82e0
                                                                              • Instruction ID: 8e7c9c112541ac5b91cb36b4f9fe430e606398d1e288cdab2cd89e41250e7295
                                                                              • Opcode Fuzzy Hash: 5353d18f3b4d7ca821c9cc9f9b17cafe51f2d1b51bea5094e67f7ae4a19e82e0
                                                                              • Instruction Fuzzy Hash: 2B41287140EBC84FE7A79B2898559723FF0EF52324B1605DFD089CB1A3D625B846C792
                                                                              Function 00007FFD9B6EA62C Relevance: .1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2131724440.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b6e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 29c7d3b83f00283a4b4092a19ae7e7c9788b9f7610828a566704d1132d3959cd
                                                                              • Instruction ID: 3d2d813259cc2ceacadc28ac363955107ea8fd7a5b6dcd03906e98aff8251b27
                                                                              • Opcode Fuzzy Hash: 29c7d3b83f00283a4b4092a19ae7e7c9788b9f7610828a566704d1132d3959cd
                                                                              • Instruction Fuzzy Hash: 2521F83190CB4C4FDB59DFAC984A7F97FE0EB96321F04416BD049C7152DA74A416CB92
                                                                              Function 00007FFD9B6E3428 Relevance: .1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2131724440.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b6e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f435f370d42070f89e4690f5b93015e88bf11645643f13f4de6c63f86387c400
                                                                              • Instruction ID: 4980c22640e04410f0635f5fb6ac196c3f2383f4a2b53e776a33183e02a6fab3
                                                                              • Opcode Fuzzy Hash: f435f370d42070f89e4690f5b93015e88bf11645643f13f4de6c63f86387c400
                                                                              • Instruction Fuzzy Hash: E001D27250E7894FE7568B1CA8624947FF0EF43230B0902EFD0D5CB0A3D6266987C756
                                                                              Function 00007FFD9B6E33B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2131724440.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b6e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                              • Instruction ID: 6c53e4b0e9e57e540be446d61fdf101b8c3d83c950fb20561b916774a3ebe4f7
                                                                              • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                              • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE051AA5B3E0FB85324F10056DE58AC36A5DB32E882CB41
                                                                              Function 00007FFD9B7B414D Relevance: .0, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2132614808.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b7b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e05e1eade0d67447d9424f45fe0693aafc622e1e4e0e9707dbba244b5df99f75
                                                                              • Instruction ID: 329f8598d863cc69c880c016178893fd112933d8b84dba5972b9f3dfd2fc51e9
                                                                              • Opcode Fuzzy Hash: e05e1eade0d67447d9424f45fe0693aafc622e1e4e0e9707dbba244b5df99f75
                                                                              • Instruction Fuzzy Hash: 3CF0BE32F0EA098FDB69EA4CE4558E873E0EF55320B1600BAE06DC71B3CA25EC40CB41
                                                                              Function 00007FFD9B7B4400 Relevance: .0, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2132614808.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b7b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fe0ce53600a0093831fe22d02e72cc1055f6578bc41294db06ec51813596ca66
                                                                              • Instruction ID: d5da74fe6920b07948c83277b6da59297a54a88945a04d0d98cf2e469d191779
                                                                              • Opcode Fuzzy Hash: fe0ce53600a0093831fe22d02e72cc1055f6578bc41294db06ec51813596ca66
                                                                              • Instruction Fuzzy Hash: 27F0BE32A0E6498FDB68EA4CE0608A873F0FF0532071600BAE059C71B3CA25AC50CB40
                                                                              Function 00007FFD9B7B41D1 Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2132614808.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b7b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction ID: d2fdef9f9d8698a3263587d2135c568bf769876d187644258486c0ea47f6f652
                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction Fuzzy Hash: 5EE01A31B0C91C9FDA78DA4CE0559A973E1EB98321B1202BBD14EC7571CA22ED518F81
                                                                              Function 00007FFD9B6EA2AC Relevance: .0, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2131724440.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b6e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c49449d2ac0313692a40979fe80b4a1ee3da1bfde7ffe00faa70c4389504a3a1
                                                                              • Instruction ID: f0afa1b50100a7561f4a67eef4b7d96d9ba89fcabe09da6dfc75c24aafefb342
                                                                              • Opcode Fuzzy Hash: c49449d2ac0313692a40979fe80b4a1ee3da1bfde7ffe00faa70c4389504a3a1
                                                                              • Instruction Fuzzy Hash: CEE04F35804A4C8FDF54EF18C8594E97BE0FF68301B05029BE81DC7120DB71AA58CBC2

                                                                              Non-executed Functions

                                                                              Function 00007FFD9B6E8995 Relevance: 5.1, Strings: 4, Instructions: 149COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2131724440.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b6e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: O_^$O_^$O_^$O_^
                                                                              • API String ID: 0-934926442
                                                                              • Opcode ID: 0a416d212610d06e1483e91e660e5e458d6c8f113408f20842dcf068d08e4022
                                                                              • Instruction ID: 76c5e955a94457a62227c5ff9ab430aa1f83b6bef624d2e246b01cc3b8765d20
                                                                              • Opcode Fuzzy Hash: 0a416d212610d06e1483e91e660e5e458d6c8f113408f20842dcf068d08e4022
                                                                              • Instruction Fuzzy Hash: 2C41A463A0F6D61FE327476D58750947FA0FF5225470A02F7C0A88F1E3ED18295B8352
                                                                              Function 00007FFD9B6E8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2131724440.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ffd9b6e0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: O_^4$O_^7$O_^F$O_^J
                                                                              • API String ID: 0-875994666
                                                                              • Opcode ID: a413057a8f8920321a683e2af4ecbd9169ac557a9e95a1bce7bdc1cdb623b5ff
                                                                              • Instruction ID: 6b65fac254a97a7aa1eabc8fa341a8ff8a82c08f9737f597401de094be22bda8
                                                                              • Opcode Fuzzy Hash: a413057a8f8920321a683e2af4ecbd9169ac557a9e95a1bce7bdc1cdb623b5ff
                                                                              • Instruction Fuzzy Hash: 152129777180268EE3067B7DB8549DA3790CFD423638501F2D1AE8F283ED18748686D1

                                                                              Executed Functions

                                                                              Function 00007FFD9B6F644D Relevance: .7, Instructions: 722COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2349804080.00007FFD9B6F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F5000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b6f5000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3c981f7cd5ebc5f5e6277ccda3cd40e8a09fa4c9c786ae57fd4f3dc5fa72bfd8
                                                                              • Instruction ID: d11858d0c8cc3e3f495bf083636a1dbf743cd5b5f2129be0b491a46f7ad6facc
                                                                              • Opcode Fuzzy Hash: 3c981f7cd5ebc5f5e6277ccda3cd40e8a09fa4c9c786ae57fd4f3dc5fa72bfd8
                                                                              • Instruction Fuzzy Hash: 8FD16F31B08A4D8FDF94DF58C4A5AA97BE1FF68300F1541AAD419D72A5CA34F981CB81
                                                                              Function 00007FFD9B7C6660 Relevance: .4, Instructions: 406COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2351163987.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b7c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5896890cdf9f323372bc64998325c0e294b0aecdadfe64622cbf05515f80d204
                                                                              • Instruction ID: e49e9b5e92cf896d58eaf0184ac2bcae5055073692f3d3d45bd11724527f1036
                                                                              • Opcode Fuzzy Hash: 5896890cdf9f323372bc64998325c0e294b0aecdadfe64622cbf05515f80d204
                                                                              • Instruction Fuzzy Hash: 35C14632B0EB8E1FEBA5BBA848A55B57BD0EF25354B1902BED45DC71F7D918E8008341
                                                                              Function 00007FFD9B6F9750 Relevance: .1, Instructions: 142COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2349804080.00007FFD9B6F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F5000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b6f5000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 38a5e8f672f16cbaf22c0d21aa9029ec5978006e5d6e0f7096cd56db2b18bfe4
                                                                              • Instruction ID: 262ef187b415500b0bdb43f3c4837d54f02b2d3bbd0d2be0929fc45d62f8becc
                                                                              • Opcode Fuzzy Hash: 38a5e8f672f16cbaf22c0d21aa9029ec5978006e5d6e0f7096cd56db2b18bfe4
                                                                              • Instruction Fuzzy Hash: F5411A71A0DB884FDB18DF6C9C0A6A97FE0FB56310F04416FE49993292CA64B915CBC6
                                                                              Function 00007FFD9B5DED40 Relevance: .1, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2348193019.00007FFD9B5DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5DD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b5dd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f1bee3beec2a1c1051cd51782de3c27fff73bf691477ed3d3c138a58831836fb
                                                                              • Instruction ID: db0c3f85d1c23d10027e93a84e439ef4f3156b080be4d0253667155166e4539e
                                                                              • Opcode Fuzzy Hash: f1bee3beec2a1c1051cd51782de3c27fff73bf691477ed3d3c138a58831836fb
                                                                              • Instruction Fuzzy Hash: B141293040EBC44FE7979B2998519523FF0EF97320B1A47DFD088CB1A3D625A846C792
                                                                              Function 00007FFD9B6FA49C Relevance: .1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2349804080.00007FFD9B6F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F5000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b6f5000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fd43349fb61a6666d0405898a727a2b7f98742bd00884d61181bad25d5a536a1
                                                                              • Instruction ID: 0bb1b37fdaf6b612ed0bf832aafa34371195f0201507e96f7f1e5edfef97839d
                                                                              • Opcode Fuzzy Hash: fd43349fb61a6666d0405898a727a2b7f98742bd00884d61181bad25d5a536a1
                                                                              • Instruction Fuzzy Hash: ED213A3190C74C4FDB59DFAC984A7E97FF0EB96320F04416BD048C3162C674A81ACB92
                                                                              Function 00007FFD9B6F33B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2349804080.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b6f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction ID: aeccee5b562ea5463f868d677630b07246dd430228e5e68190c4d2012b6ba0ab
                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction Fuzzy Hash: 8501A73120CB0C4FD748EF0CE051AA5B7E0FB85364F10056DE58AC36A5DB32E882CB41
                                                                              Function 00007FFD9B7C414D Relevance: .0, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2351163987.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b7c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 34c4fb9d294938c82691e40d6b384e2be4deacc55872c278f004643f5f74a914
                                                                              • Instruction ID: a956b013e8e44a3fbeee4fb48c9173c979a24a4b1b6bb507d3a0f0a97c1ca636
                                                                              • Opcode Fuzzy Hash: 34c4fb9d294938c82691e40d6b384e2be4deacc55872c278f004643f5f74a914
                                                                              • Instruction Fuzzy Hash: D4F0BE32B0EA098FD769EA4CE4518E873E0EF55320B1600BEE0ADC72B3CA25EC40C741
                                                                              Function 00007FFD9B7C4400 Relevance: .0, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2351163987.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b7c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 01b154888f1f3c206bef50cf5dbecda22f418d2fdf3839bb6fa6f4990536d6b1
                                                                              • Instruction ID: a9ab6b47b494cf64ae25ef74265ca1a0b3490fad03b1000cbec5fb07bb922df9
                                                                              • Opcode Fuzzy Hash: 01b154888f1f3c206bef50cf5dbecda22f418d2fdf3839bb6fa6f4990536d6b1
                                                                              • Instruction Fuzzy Hash: 5DF0BE32A0E6498FDB64EA4CE0608A873E0FF0532072600BAE059C71B3CA25ED40C740
                                                                              Function 00007FFD9B7C41D1 Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2351163987.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b7c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction ID: 52608d1712e7bd0336d50187b917c3a8eb4d52ee29c1a5fda26bda90e85e8bec
                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                              • Instruction Fuzzy Hash: 34E0123170C9089FD678EA4CE0519F973E1EB98331B1212BFD14EC7671C621ED518B80

                                                                              Non-executed Functions

                                                                              Function 00007FFD9B6F8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2349804080.00007FFD9B6F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F5000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ffd9b6f5000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                              • API String ID: 0-2388461625
                                                                              • Opcode ID: 9fbcb04bfe035fe85d9bc315c2e0a04bc0a348d1a00b88d828a9925e65419bb9
                                                                              • Instruction ID: e4b4045c72cd5308c4fd8af88a88c8bdd397bf06ec2fcfa736e5bc0438d8bac0
                                                                              • Opcode Fuzzy Hash: 9fbcb04bfe035fe85d9bc315c2e0a04bc0a348d1a00b88d828a9925e65419bb9
                                                                              • Instruction Fuzzy Hash: C521D773B085164AD30637BCBCA19D96BD1DF5437838501F3E229CF553DD19688B8683

                                                                              Executed Functions

                                                                              Function 00007FFD9B711719 Relevance: .7, Instructions: 705COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7db14a6735f2b3f1eb147bb3039b9e6c0b1d81bd93fe3587f167a9e06effc6f7
                                                                              • Instruction ID: eaccc6272a258bf35db967269d59e0ee7a956253bbf6f7f561b813fb24625fc3
                                                                              • Opcode Fuzzy Hash: 7db14a6735f2b3f1eb147bb3039b9e6c0b1d81bd93fe3587f167a9e06effc6f7
                                                                              • Instruction Fuzzy Hash: CD22D661B19A4D4FE7A8EB7884B57B977D2EF98304F4406B9E00EC72E7DD28AD018741
                                                                              Function 00007FFD9B7120F1 Relevance: .2, Instructions: 210COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c5ef1099c94727b35f780c3499b3b14d7e00f4434ff6db67f722d3359fbfb80e
                                                                              • Instruction ID: bc85103ab67b28333493a10a9f250830a9b8c4c4df84f02fac91ca5d1a448505
                                                                              • Opcode Fuzzy Hash: c5ef1099c94727b35f780c3499b3b14d7e00f4434ff6db67f722d3359fbfb80e
                                                                              • Instruction Fuzzy Hash: 9051FD10B1E6C90FD79AABB858746757FE5DF87229F0802FAE089C61E7DD581806C352
                                                                              Function 00007FFD9B710AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 9M_^
                                                                              • API String ID: 0-1708477388
                                                                              • Opcode ID: 8619a5ceb0ca595dbdafabff3394c81f6123e3cd856511f2e195fc1f2e94bc37
                                                                              • Instruction ID: acc31cf07e629d58e146bf4fd9b0ada4c41524258c3f4af4a70173d2e8dc8a1f
                                                                              • Opcode Fuzzy Hash: 8619a5ceb0ca595dbdafabff3394c81f6123e3cd856511f2e195fc1f2e94bc37
                                                                              • Instruction Fuzzy Hash: 61615726B0D61F8AE705BBBCA4A1AFD3BE1EF84324B4443B6D01DC71D7CD2968468791
                                                                              Function 00007FFD9B710E8E Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4M_^
                                                                              • API String ID: 0-2545914641
                                                                              • Opcode ID: ef6f33b1f233c89927ea151348e0460267093628887a980c51c4178004f9d54a
                                                                              • Instruction ID: ee06e62f349437c9791dd864b807240c554b0fc53766e70820db257a40bae89b
                                                                              • Opcode Fuzzy Hash: ef6f33b1f233c89927ea151348e0460267093628887a980c51c4178004f9d54a
                                                                              • Instruction Fuzzy Hash: F5516C21B0E78E0FE756AB7898656B53BE1EF86224B0941FBD08DC71E7DD1C9C428352
                                                                              Function 00007FFD9B711295 Relevance: .9, Instructions: 861COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 02a9180366b3fa8aafd736f570d98f29872ce0e8fa2acb0c49aee30bcca6d4c6
                                                                              • Instruction ID: 646e193225cb5a515c96266c7b3e42d2e63c928690aff1a8de206730c8997750
                                                                              • Opcode Fuzzy Hash: 02a9180366b3fa8aafd736f570d98f29872ce0e8fa2acb0c49aee30bcca6d4c6
                                                                              • Instruction Fuzzy Hash: E331C423B0F79E4FE751A7AC98B25F97BB0EF42210B0902F6C095CE4A3DD1929058751
                                                                              Function 00007FFD9B710985 Relevance: .3, Instructions: 346COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 122eae138e86cfb68611ea4e241c02db63f5cc28ede9b6439086c1e531b73882
                                                                              • Instruction ID: fc47f4d8038e7b7ceb7a13dcd8551aa4c9947a9aed4bfc0f6da65a9e99bfa67b
                                                                              • Opcode Fuzzy Hash: 122eae138e86cfb68611ea4e241c02db63f5cc28ede9b6439086c1e531b73882
                                                                              • Instruction Fuzzy Hash: EBA14626B0956E8AE705BB7CA8A16ED7BA0EF85335B4403F7C049CA1C7CD29644687D1
                                                                              Function 00007FFD9B7109D3 Relevance: .3, Instructions: 320COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f31636c1dbeb56aa1c858eb74d39faef292545512081936dd6960063b00a5b68
                                                                              • Instruction ID: 6fc1b856078e5e223ecfe9f240aba90dcc511acb55947a8180d1b22cf3cb3b52
                                                                              • Opcode Fuzzy Hash: f31636c1dbeb56aa1c858eb74d39faef292545512081936dd6960063b00a5b68
                                                                              • Instruction Fuzzy Hash: 59917727B0992E8AE704BB7CB8A16ED7BA0EF85335B4443F7D049CA1C7CD29644687D1
                                                                              Function 00007FFD9B710A08 Relevance: .3, Instructions: 305COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0c589e625e23be2a2de7f546cf742ddf29ee3ed82932edb391d6844c9ae86359
                                                                              • Instruction ID: 37ce34e28be259cc793345a8d1bd4a1581e292b62d88ba051467c3cea4c5ace3
                                                                              • Opcode Fuzzy Hash: 0c589e625e23be2a2de7f546cf742ddf29ee3ed82932edb391d6844c9ae86359
                                                                              • Instruction Fuzzy Hash: B0816827B0952E8AE704BBBCB8A16ED7BA0EF85335B4443B7D049CA1C7CD296446C7D1
                                                                              Function 00007FFD9B710A10 Relevance: .3, Instructions: 301COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 105fad99650a99a23e110ffd5dae5bab30360bce463614a502cf0aa0dfcf5797
                                                                              • Instruction ID: 0d952454f1c1d01c112ded3b218a784ce59144ffc0bf829e9c925c1c7a639bbb
                                                                              • Opcode Fuzzy Hash: 105fad99650a99a23e110ffd5dae5bab30360bce463614a502cf0aa0dfcf5797
                                                                              • Instruction Fuzzy Hash: 20814826B0952E8AE704BB7CB4A16ED7BA0EF85335B4443B7D049CA1C7CD29684687D1
                                                                              Function 00007FFD9B710A48 Relevance: .3, Instructions: 270COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 85d0d77e11ad76b2883c63da499d3be85f4832b0776863026ceff4b06a719abb
                                                                              • Instruction ID: 29975019af199242e9b8b649a1be4eb58371e4fb60fc8cfa5601be1887b215c9
                                                                              • Opcode Fuzzy Hash: 85d0d77e11ad76b2883c63da499d3be85f4832b0776863026ceff4b06a719abb
                                                                              • Instruction Fuzzy Hash: 14715726B0952E8AEB04BBBCA4A16ED7BA1EF85335B4403B7D049CB1C7CD296446C7D1
                                                                              Function 00007FFD9B710BD3 Relevance: .2, Instructions: 165COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d510ee77c00c2561ec7731a74600b32f97d431ae27a6ae8146d21e50ea8656fd
                                                                              • Instruction ID: b9cf49c0f98582237e0ce725fd3b2f3244a0e0c4b1e688358670801d90b57d63
                                                                              • Opcode Fuzzy Hash: d510ee77c00c2561ec7731a74600b32f97d431ae27a6ae8146d21e50ea8656fd
                                                                              • Instruction Fuzzy Hash: A1512625B0DA4D4FEB44FBB8D8A16ED7BE1EF88314F4402B6D009C72D7CD2969468B91
                                                                              Function 00007FFD9B710D21 Relevance: .2, Instructions: 150COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1d6657b48d638c0974c99673eb2752cebc54d87e15abac7f7514c1c21bd622d6
                                                                              • Instruction ID: 7819d89596b93fb0206d0a76a7eb473e7dfcf9ca285da96d65a28f23d891d1c4
                                                                              • Opcode Fuzzy Hash: 1d6657b48d638c0974c99673eb2752cebc54d87e15abac7f7514c1c21bd622d6
                                                                              • Instruction Fuzzy Hash: 4F41D721B1990E4FEB48BBAC98A97BD73D1EF98710F4002B6E01DC32D7DD286D018792
                                                                              Function 00007FFD9B710638 Relevance: .1, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5c23cbca16c4355d6681f20d2cb2f257fe4002cd7bb345c9678d862a99531566
                                                                              • Instruction ID: 6a645157453e31c75c6aa8285a8d6909a90c5359e384e6db6eba8af6d5f525ee
                                                                              • Opcode Fuzzy Hash: 5c23cbca16c4355d6681f20d2cb2f257fe4002cd7bb345c9678d862a99531566
                                                                              • Instruction Fuzzy Hash: E931C821B1D94D0FE798EB6C546A778B7C2EF99315F0502BAE40EC32E7DD646C418341
                                                                              Function 00007FFD9B710858 Relevance: .1, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8955526433cb2ccc774f452128f978ba4afbcc4e3fd6cd906cf0b54a9dfbdff3
                                                                              • Instruction ID: 5033638f78c86617219a8e4acb09225fb1e05b14ade36262acb9340590ba4d44
                                                                              • Opcode Fuzzy Hash: 8955526433cb2ccc774f452128f978ba4afbcc4e3fd6cd906cf0b54a9dfbdff3
                                                                              • Instruction Fuzzy Hash: CC31C121B49A4A5FE385EB2C90F19E93FB2EF85204BC445E5D05ACB3DBDD346C008B92
                                                                              Function 00007FFD9B710870 Relevance: .1, Instructions: 76COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ea681290ac47bf0ac73e883647180fb96a7c939751d485124c7d1882137840f3
                                                                              • Instruction ID: ff938b2da0ce148c9e44a38b2f46e9252d0fabe684b37a0cb50ef52bed1b7c09
                                                                              • Opcode Fuzzy Hash: ea681290ac47bf0ac73e883647180fb96a7c939751d485124c7d1882137840f3
                                                                              • Instruction Fuzzy Hash: 4A21A021B59A495FE385EB2894F59E97FB2EF88204BC444E9D40AC73DBCD346D008F92
                                                                              Function 00007FFD9B7122C1 Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.2436544813.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ecb8444d0034bae990f28ec89789de27e9e92b269e5d94011269c50030825e53
                                                                              • Instruction ID: c60a526df3ba6155c51978c9ae9abf002dabfb36fbad62940e42def21f10ea62
                                                                              • Opcode Fuzzy Hash: ecb8444d0034bae990f28ec89789de27e9e92b269e5d94011269c50030825e53
                                                                              • Instruction Fuzzy Hash: 0A014911A0EBC90FE792A77818655757FE0CF91248B0905FBE8C9C70F7D808AB808352

                                                                              Executed Functions

                                                                              Function 00007FFD9B711719 Relevance: .7, Instructions: 705COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 36f7f71104ca26fcdbb167373de3d33ef91d056bbd56769f9a5ce0f5e71a9f18
                                                                              • Instruction ID: e5aa83ee09ca975d23e19e677cd0b69788f3842628901ec3f7b8295fd2beee38
                                                                              • Opcode Fuzzy Hash: 36f7f71104ca26fcdbb167373de3d33ef91d056bbd56769f9a5ce0f5e71a9f18
                                                                              • Instruction Fuzzy Hash: 8022E761B19A4D4FE7A8EB7884757B977D2FF98300F8406B9E00EC72E6DD28AD018741
                                                                              Function 00007FFD9B7120F1 Relevance: .2, Instructions: 210COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 19a10a14588122f56b0d696f7aa04889e9bec0cf2e393f6792308e25aaf8ebf7
                                                                              • Instruction ID: dac4f6de4bf818975b8b9ae2c035237f993522dc45dd707f23fd486f701174f5
                                                                              • Opcode Fuzzy Hash: 19a10a14588122f56b0d696f7aa04889e9bec0cf2e393f6792308e25aaf8ebf7
                                                                              • Instruction Fuzzy Hash: 1951FD10B1E6C90FD79AABB858746757FE5DF87229F0802FAE089C61E7DD481806C352
                                                                              Function 00007FFD9B710AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 9M_^
                                                                              • API String ID: 0-1708477388
                                                                              • Opcode ID: fc0de7e14acef3d0a2e87bd4d23bd35fe14451fc44ef19c12c4ba096d84677c5
                                                                              • Instruction ID: b9d5d8e692e69ebd801285726348a09ab44ee7ffaaaca14eac690aa89af08a22
                                                                              • Opcode Fuzzy Hash: fc0de7e14acef3d0a2e87bd4d23bd35fe14451fc44ef19c12c4ba096d84677c5
                                                                              • Instruction Fuzzy Hash: 43615926B0D61F8AE705BBBCE4A16FD37A1EF84324B8443B6D01DC72D7CD2968468791
                                                                              Function 00007FFD9B710E8E Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4M_^
                                                                              • API String ID: 0-2545914641
                                                                              • Opcode ID: 384548d7770bc1c03ffba68c0c85ad1e321881067df08a9efb0f6defe06d0ad8
                                                                              • Instruction ID: f4ee7f3e40ddc9a9d86378953447e578d69ad983766ee15dfa72e21d90e0410d
                                                                              • Opcode Fuzzy Hash: 384548d7770bc1c03ffba68c0c85ad1e321881067df08a9efb0f6defe06d0ad8
                                                                              • Instruction Fuzzy Hash: 3F516C21B0E78E0FE756AB7898656B53BE1EF86224B0941FBD08DC71E7DD1C9C428352
                                                                              Function 00007FFD9B711295 Relevance: .9, Instructions: 861COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 741b237a951df1645d047d1253c41b9548e5466e7e06ed4e41abbc67ecd6a8ec
                                                                              • Instruction ID: c297c0909cacbb253282400bd49bb6e1f4d2112db65eecea9eb7e265903eed1e
                                                                              • Opcode Fuzzy Hash: 741b237a951df1645d047d1253c41b9548e5466e7e06ed4e41abbc67ecd6a8ec
                                                                              • Instruction Fuzzy Hash: 6E31C423B0F79E4FE751A7AC98B25F97BB0EF42210B4902F6C095CE4A3ED1929058751
                                                                              Function 00007FFD9B710985 Relevance: .3, Instructions: 346COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 21e1bc309b7053f6e02a808f46a04fa773b42b030e4d38d1dc741da099800021
                                                                              • Instruction ID: 06937991b03b405dc9ec2c53a5ed848c8ae49105e5f0e5d8264eb23392decc13
                                                                              • Opcode Fuzzy Hash: 21e1bc309b7053f6e02a808f46a04fa773b42b030e4d38d1dc741da099800021
                                                                              • Instruction Fuzzy Hash: 5FA13526B0956E8AEB05BB7CA8A16FD7BA0EF85331B4403F7C049CA1C7CD29644687D1
                                                                              Function 00007FFD9B7109D3 Relevance: .3, Instructions: 320COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a95a97d2794186b15dc0297b4afd3a4c6e14a2f43530b9b0df9649d5b449bd74
                                                                              • Instruction ID: a68bf2f7513cc4bacb6de072cc80e264cde557e7943c6858e274548802f1662b
                                                                              • Opcode Fuzzy Hash: a95a97d2794186b15dc0297b4afd3a4c6e14a2f43530b9b0df9649d5b449bd74
                                                                              • Instruction Fuzzy Hash: FC912526B0992E8AE704BB7CF8616FD7BA0EF85331B8443B7D049CA1D7CD29644687D1
                                                                              Function 00007FFD9B710A08 Relevance: .3, Instructions: 305COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cee138fbae98f7ba17a9b93ba39d226d166988432c123e19d1c7a24bff799ca6
                                                                              • Instruction ID: a02c2ab78c1aba6efb1eebac441847129fe7206794a708f0966c587002f66438
                                                                              • Opcode Fuzzy Hash: cee138fbae98f7ba17a9b93ba39d226d166988432c123e19d1c7a24bff799ca6
                                                                              • Instruction Fuzzy Hash: D2814726B0952E8AEB05BB7CF8616FE7BA0EF85331B4443B7D049CA1C7CD29644687D1
                                                                              Function 00007FFD9B710A10 Relevance: .3, Instructions: 301COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 21a0a2455a3fcabefcea6fbc4eab6c44d1600caf96e1983723c358eace16c7c8
                                                                              • Instruction ID: 97a7116fe230c256a643aebd2b576f14d83d424ef5482713bb57430c4e7b150b
                                                                              • Opcode Fuzzy Hash: 21a0a2455a3fcabefcea6fbc4eab6c44d1600caf96e1983723c358eace16c7c8
                                                                              • Instruction Fuzzy Hash: 7B813726B0952E8AEB04BB7CF8616FD7BA1EF85331B4443B7D049CA1C7CD29684687D1
                                                                              Function 00007FFD9B710A48 Relevance: .3, Instructions: 270COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 278e306f0543b196438072f11937be78912a1c81ddb8a3bfb44d537991c5f340
                                                                              • Instruction ID: 6020b3226b3dc3fcce088214e2cfef3d1bbb7ca483430e8ded1cd83bf47a4e64
                                                                              • Opcode Fuzzy Hash: 278e306f0543b196438072f11937be78912a1c81ddb8a3bfb44d537991c5f340
                                                                              • Instruction Fuzzy Hash: 6D713626B0952E8AEB04BB7CE8A16FD7BA1EF85321B4403B7D049C71C7CD296846C7D1
                                                                              Function 00007FFD9B710BD3 Relevance: .2, Instructions: 165COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b8872e3102e3cf46e8b30e33472cda7bd4ce783ab591d9ea500475fba1ff27c0
                                                                              • Instruction ID: 7c310d0787445052d6e7e42da62dc5a9d5e7f6b1c23ea0c27787b4afe9ef0a22
                                                                              • Opcode Fuzzy Hash: b8872e3102e3cf46e8b30e33472cda7bd4ce783ab591d9ea500475fba1ff27c0
                                                                              • Instruction Fuzzy Hash: 24510621B0DA4D8FEB44FB78D8616FD7BA1EF88310F4406BAD009C72D7CD2969068791
                                                                              Function 00007FFD9B710D21 Relevance: .2, Instructions: 150COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1ad61700614ce7a606eb73a2d13444e4d6c5c17d43bc7bf62cce0c574b80a7f4
                                                                              • Instruction ID: d5acea3f13f66ac4a2da62d7b1ea3f3578ee4f78f695dad0f3e0871466efcb5b
                                                                              • Opcode Fuzzy Hash: 1ad61700614ce7a606eb73a2d13444e4d6c5c17d43bc7bf62cce0c574b80a7f4
                                                                              • Instruction Fuzzy Hash: 0B41D961B1990E4FEB44BBAC98657BD73D1EF98710F4002B6E01DC32D7DD286D018792
                                                                              Function 00007FFD9B710638 Relevance: .1, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a82084fd0f9141dc262df8bfcfa922fdb840e1d5a4a5d75094dc6ddf4da67478
                                                                              • Instruction ID: 3be7c1475e6e077fda0f88219abef87c4fb667f05af4802d6e0fbfe305492c3a
                                                                              • Opcode Fuzzy Hash: a82084fd0f9141dc262df8bfcfa922fdb840e1d5a4a5d75094dc6ddf4da67478
                                                                              • Instruction Fuzzy Hash: 8D31C621B1D94D0FEB98EA6C946A778B7C2EF99315F4502BAE40EC32E7DD64AC418341
                                                                              Function 00007FFD9B710858 Relevance: .1, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9f7a30a7d79be8fb767fdc5ab29ec68b0eb0bf6ef9dd5e9a0bba6cbbd07c8f4c
                                                                              • Instruction ID: 968371d71b201c5be43712636b8f02fe05826348a6929491001febf8843bc068
                                                                              • Opcode Fuzzy Hash: 9f7a30a7d79be8fb767fdc5ab29ec68b0eb0bf6ef9dd5e9a0bba6cbbd07c8f4c
                                                                              • Instruction Fuzzy Hash: 7731A361B49A8A8FD785EB6CD0B19B93F72EF84204BC045E9D05AC33DBDD245C008B92
                                                                              Function 00007FFD9B710870 Relevance: .1, Instructions: 76COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3656d2dbd52f5382d74b71c1c9e912a59c232273e562cfc07477c03f99b403e2
                                                                              • Instruction ID: 7f66abeb55fb784746c464b267ccd7113e95b7980ee9d3035c14a0ccd8d77fc4
                                                                              • Opcode Fuzzy Hash: 3656d2dbd52f5382d74b71c1c9e912a59c232273e562cfc07477c03f99b403e2
                                                                              • Instruction Fuzzy Hash: D2218561B59A898FD785EB78C4F5AB97F72EF84200BC044E9D41AC33DBDD245D008B92
                                                                              Function 00007FFD9B7122C1 Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000010.00000002.2510126152.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_16_2_7ffd9b710000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1199c30a15c5a34f122ab10bcdb151f612631a875ab1ba0af9d7b5f08ecf918c
                                                                              • Instruction ID: c6b7b49892ef98de9f04409509cba487d14d71d4a0cde599f29a7b38b11dba3e
                                                                              • Opcode Fuzzy Hash: 1199c30a15c5a34f122ab10bcdb151f612631a875ab1ba0af9d7b5f08ecf918c
                                                                              • Instruction Fuzzy Hash: 0B014915A0EBC90FE791A7785C656357FE0CF91244B4905FAE8C8C71F7E808AB808352

                                                                              Executed Functions

                                                                              Function 00007FFD9B6F1719 Relevance: .7, Instructions: 705COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 48205314028ac216a759fb8b0ab54e7c747b199b8b095185d510330cb5f91d06
                                                                              • Instruction ID: 12045c30c8dd942dac25a08ed850ac16b540da57fead1eeea66b50e45f3a3df8
                                                                              • Opcode Fuzzy Hash: 48205314028ac216a759fb8b0ab54e7c747b199b8b095185d510330cb5f91d06
                                                                              • Instruction Fuzzy Hash: 5B22D661B1994A4FE7A8EB7884756B87BD2FF98340F4405B9E01EC72D7DE287D018781
                                                                              Function 00007FFD9B6F20F1 Relevance: .2, Instructions: 210COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e70fa1a611f6be83a62bff8f2cc58b41ef9198b33d7ff4921169b14ef1848158
                                                                              • Instruction ID: d6a823c95a24ae2393771dabe93cabe69e4829235481d31e6bf88066cac82586
                                                                              • Opcode Fuzzy Hash: e70fa1a611f6be83a62bff8f2cc58b41ef9198b33d7ff4921169b14ef1848158
                                                                              • Instruction Fuzzy Hash: 4D510E60B0E6C90FD79AABB858756757FE5DF87219B0800FAE09DCB1E7DD082846C346
                                                                              Function 00007FFD9B6F0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 9O_^
                                                                              • API String ID: 0-1716625314
                                                                              • Opcode ID: 3af012689159e62aa169e2032b3c3606635af82d1555a3e4608db2a3f6c4f0c8
                                                                              • Instruction ID: ddfdb310f97f28d79632aa68ebb0b68f074d5c947a401cf5affa7ac358d77238
                                                                              • Opcode Fuzzy Hash: 3af012689159e62aa169e2032b3c3606635af82d1555a3e4608db2a3f6c4f0c8
                                                                              • Instruction Fuzzy Hash: D2617B26B0951B4EE705BBBCA0A1AED3BE1EFC4325B4405B6D01DCB1D7CD29788687D1
                                                                              Function 00007FFD9B6F0E8E Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4O_^
                                                                              • API String ID: 0-2486912895
                                                                              • Opcode ID: c1e587a4ccf7a5a887150217c7e3583795d543a2882ce2152064d38b2674cab6
                                                                              • Instruction ID: e96acafb71724c527668b8767443161453912dd0aa94d97362b32a6c6213a8db
                                                                              • Opcode Fuzzy Hash: c1e587a4ccf7a5a887150217c7e3583795d543a2882ce2152064d38b2674cab6
                                                                              • Instruction Fuzzy Hash: 45516A21B0E68A0FE796AB7C58655B93FE1DF86224B0940FBD08DCB1E7DD1C6C468352
                                                                              Function 00007FFD9B6F1295 Relevance: .9, Instructions: 861COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9f2f70af6d73d99caf08601173c0452463b082ddcdd03db2a4a3e475ab84fa20
                                                                              • Instruction ID: 770eb7ce570ae9ab63bb58aef46fc9a94290ece39c088cd13ce5227a9f871eeb
                                                                              • Opcode Fuzzy Hash: 9f2f70af6d73d99caf08601173c0452463b082ddcdd03db2a4a3e475ab84fa20
                                                                              • Instruction Fuzzy Hash: 0C31E523B0E68A4FF756A7AC94B24E97BB0FF81350B4905B7C0A5CE0E3ED1979498350
                                                                              Function 00007FFD9B6F0985 Relevance: .3, Instructions: 346COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d3977e39a061e23bf0a4fb9401cd99522628e03d40375550d8c43c252737c0bd
                                                                              • Instruction ID: d516ad44f0047b15057035213a124958d76ceaf13684b10ddbf00f1846c6a5d2
                                                                              • Opcode Fuzzy Hash: d3977e39a061e23bf0a4fb9401cd99522628e03d40375550d8c43c252737c0bd
                                                                              • Instruction Fuzzy Hash: 66A1392BB089278ED705BB7DB4A16E97BA0EFC5331B4445B7C149CF1C7C928688A87D1
                                                                              Function 00007FFD9B6F09D3 Relevance: .3, Instructions: 320COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4c68a314074d91571b5c9598aa517868fd828bd147b75755bfb2309ee62995de
                                                                              • Instruction ID: 3adaf2a792513cf04552dd0722e4de3b9c017bd2d09f421cc4f745bf655c7d3c
                                                                              • Opcode Fuzzy Hash: 4c68a314074d91571b5c9598aa517868fd828bd147b75755bfb2309ee62995de
                                                                              • Instruction Fuzzy Hash: 0F91592BB0891B4AE705BB7DB4516E93BA0EFC4331B4445B7C14DCE1C7CD28688A87D0
                                                                              Function 00007FFD9B6F0A08 Relevance: .3, Instructions: 305COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: be4fedf29c9d03ae01afaa4c63c4693ee2453d9ed1256d081bdd3056827cecf3
                                                                              • Instruction ID: 02c69e9b4b05670c595baa4d5bfea7e200e08d6f83feed790e156eb269400020
                                                                              • Opcode Fuzzy Hash: be4fedf29c9d03ae01afaa4c63c4693ee2453d9ed1256d081bdd3056827cecf3
                                                                              • Instruction Fuzzy Hash: BE816A2AB0891B8EE705BB7CB4916EA3BA0EFC4331B4445B7C14DCB1C7CD28688687D1
                                                                              Function 00007FFD9B6F0A10 Relevance: .3, Instructions: 301COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: db95cfb18b9fab4d006a776ef381fbd0c1c50ed9822aefb76f6fa07a6335cbd7
                                                                              • Instruction ID: 8aad5f4f6b99deee960d70be4596625df2948ed37af67e2422977e8ed7be0476
                                                                              • Opcode Fuzzy Hash: db95cfb18b9fab4d006a776ef381fbd0c1c50ed9822aefb76f6fa07a6335cbd7
                                                                              • Instruction Fuzzy Hash: 40816A2AB0891B8EE705BB7CB4916EA3BA0EFC4331B4445B7D15DCB1C7CD28688687D0
                                                                              Function 00007FFD9B6F0A48 Relevance: .3, Instructions: 270COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0113814f8fe9f422072cefe53da376678d347cb6c4db96e54382d570c8ee6a4d
                                                                              • Instruction ID: 21e1657be6db616a2a6718ded007a5a9d1cb3a384935e915d5c32120b16aa2e2
                                                                              • Opcode Fuzzy Hash: 0113814f8fe9f422072cefe53da376678d347cb6c4db96e54382d570c8ee6a4d
                                                                              • Instruction Fuzzy Hash: C571392AB0891B8EE705BB7CA4916E97BA1EFC4321B4445B7D14DCB1C7CD286886C7D0
                                                                              Function 00007FFD9B6F0BD3 Relevance: .2, Instructions: 165COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3cb910fd3113e6b3312ef50ecf25af41a5f66563ebab69c38615ebbfab25e195
                                                                              • Instruction ID: eaf54e6a8c71b3f22a0c026fc355d07a5083e08c70c3ec1f15288d6ce383ab30
                                                                              • Opcode Fuzzy Hash: 3cb910fd3113e6b3312ef50ecf25af41a5f66563ebab69c38615ebbfab25e195
                                                                              • Instruction Fuzzy Hash: C8512325B09A4E8FEB44FBB894A16ED7BE1EFC8311F4404B6D009CB2D7CD2969468791
                                                                              Function 00007FFD9B6F0D21 Relevance: .2, Instructions: 150COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3208a97b428173ff768756c07c9c9ed512c98759566db0d79aacecb1c915c8f2
                                                                              • Instruction ID: 74ac08b40d832789eedb5cf14dbd3f894d2a20687ae174b867f9c5db4b3731a8
                                                                              • Opcode Fuzzy Hash: 3208a97b428173ff768756c07c9c9ed512c98759566db0d79aacecb1c915c8f2
                                                                              • Instruction Fuzzy Hash: 7941E921B1990A4FEB58BBAC98A57BD77D1EF98701F4002B6E01DC32D7DD287D018782
                                                                              Function 00007FFD9B6F0638 Relevance: .1, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dcc50b471f9bc5977da91c9d67e0502e85bcb0b716777c1ec631ef8afcea2b82
                                                                              • Instruction ID: b302bfff7ee109bd88073685b7e5514b59746d4dba83bafc9dfe41fd0abc615f
                                                                              • Opcode Fuzzy Hash: dcc50b471f9bc5977da91c9d67e0502e85bcb0b716777c1ec631ef8afcea2b82
                                                                              • Instruction Fuzzy Hash: A831D321B1894D0FE798EA6C946A778B7C2EFD8315F4401BAF41EC72D7DD64AC418341
                                                                              Function 00007FFD9B6F0858 Relevance: .1, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cd2a5155b84c919b65acd386789d7fdbebbe25406c64ab90b3161ae184d7cd9b
                                                                              • Instruction ID: 86db0003d4921434d6ecba9beebd3c28717b86d1758c4573a7eeaaafdd41b96f
                                                                              • Opcode Fuzzy Hash: cd2a5155b84c919b65acd386789d7fdbebbe25406c64ab90b3161ae184d7cd9b
                                                                              • Instruction Fuzzy Hash: C531B4A5749A4A4FD745EB6890F09E97FB2EF89201B8080E5D05DC73DBCD286E408BC2
                                                                              Function 00007FFD9B6F0870 Relevance: .1, Instructions: 76COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f9c84d07d9488f4220d4c520bdfa940b470bb1337eb94bf515f82c9947f4ac9f
                                                                              • Instruction ID: 60ec039c97ffb558378cbabbb6be469a58678cb23ad20eb2075203d8bc556a16
                                                                              • Opcode Fuzzy Hash: f9c84d07d9488f4220d4c520bdfa940b470bb1337eb94bf515f82c9947f4ac9f
                                                                              • Instruction Fuzzy Hash: 4D2181A5759A494FD745EB2884F09E97FB2AFC8201BC084E5D41EC73DBCD286E008BC2
                                                                              Function 00007FFD9B6F22C1 Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000012.00000002.2595288343.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_18_2_7ffd9b6f0000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9b9838a7343eb4ef2a5ae3fbf287adad0196e6bd7f685e115a0badc67037f238
                                                                              • Instruction ID: 303327b1aacf832eb3eac0ba764c9d5e0ef0cfeb5fd8ff846c7f9a6347046772
                                                                              • Opcode Fuzzy Hash: 9b9838a7343eb4ef2a5ae3fbf287adad0196e6bd7f685e115a0badc67037f238
                                                                              • Instruction Fuzzy Hash: 5E01F955B0EAC50FE791A7B818654757FE1DFD5201B4904FAF8D8CB1E7D8087B848742

                                                                              Executed Functions

                                                                              Function 00007FFD9B701719 Relevance: .7, Instructions: 705COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3084c497788d0f061e5d7f1f3b7a65e8e9f13483c2bc2003fc130da55b27fbde
                                                                              • Instruction ID: 59ead97d85016e3b5c03c1608ca80d988d73881172f9fc6cf8a3548c4d7bbf23
                                                                              • Opcode Fuzzy Hash: 3084c497788d0f061e5d7f1f3b7a65e8e9f13483c2bc2003fc130da55b27fbde
                                                                              • Instruction Fuzzy Hash: E722EA61B19A4D4FE7A8EB7884756B977D2FF99300F4405BAE04EC32E7DD28AD018781
                                                                              Function 00007FFD9B7020F1 Relevance: .2, Instructions: 210COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b656ba20dfe83620ef9a41fa5f48dcbf6ad866575c08435c0f8e2074ad56076d
                                                                              • Instruction ID: c29a7ba5a1427e4987eb08068c8f6c7c11c57cea977cd2489f0f2d648b8fb098
                                                                              • Opcode Fuzzy Hash: b656ba20dfe83620ef9a41fa5f48dcbf6ad866575c08435c0f8e2074ad56076d
                                                                              • Instruction Fuzzy Hash: F051EB11B0E6C94FD79AABB85874675BFE5DF8B229B0801FBE0C9C61E7DD481806C342
                                                                              Function 00007FFD9B700AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 9N_^
                                                                              • API String ID: 0-1737749909
                                                                              • Opcode ID: 224c11892f445017a1e07cf6d1d4d0d863b03a0cc5b1c48051e36de03a804878
                                                                              • Instruction ID: 4b9658e17e42439c14e05c246459b1168e578a74f890fc61d978ebc89463dd3b
                                                                              • Opcode Fuzzy Hash: 224c11892f445017a1e07cf6d1d4d0d863b03a0cc5b1c48051e36de03a804878
                                                                              • Instruction Fuzzy Hash: 34614622B0862E8EE715B7BCA4A16FD7BE1EF84325B8402B7C05DC71D7CD29684283D1
                                                                              Function 00007FFD9B700E8E Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4N_^
                                                                              • API String ID: 0-2516135240
                                                                              • Opcode ID: 3994823b2c6e06a86c122323ea13de6714ec3290ba9620470f7c69e195c342d4
                                                                              • Instruction ID: a5f3b9d2316ec1326323d55aedba8c7814839f0a7f2adb5e2f86c4cf6e839e63
                                                                              • Opcode Fuzzy Hash: 3994823b2c6e06a86c122323ea13de6714ec3290ba9620470f7c69e195c342d4
                                                                              • Instruction Fuzzy Hash: 6D513721B0E68E0FE756AB7858655B53BE1DF86234B0901FBD08DC71E7DD1C9C468352
                                                                              Function 00007FFD9B701295 Relevance: .9, Instructions: 861COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dbd131df5f5c1e59025ade79d32097a0e1836bce895bd6f847ce527d10a7afe3
                                                                              • Instruction ID: 9343a3e7a8b9d3dae7c55cf4e56247e624809e7d326bed54dfeae86919bf8212
                                                                              • Opcode Fuzzy Hash: dbd131df5f5c1e59025ade79d32097a0e1836bce895bd6f847ce527d10a7afe3
                                                                              • Instruction Fuzzy Hash: 9B31F533B0E79A4FE712A7AC98B25E97BB1EF42210B0902B7D0C5CA4F3ED1969058340
                                                                              Function 00007FFD9B700985 Relevance: .3, Instructions: 346COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ecffd1950099c42473e7738041069ffd81f59bbeda6df3c0dc145a4bf620ac4e
                                                                              • Instruction ID: 1a915f57947ca9c7d0015a4ba662417477756781cb39dcfe234fdb1b0cb6ae95
                                                                              • Opcode Fuzzy Hash: ecffd1950099c42473e7738041069ffd81f59bbeda6df3c0dc145a4bf620ac4e
                                                                              • Instruction Fuzzy Hash: 0CA13C27B0862A8FE715BBBCB8616ED7BA1EF85371B4401B7C149CB1C7CD28684687D1
                                                                              Function 00007FFD9B7009D3 Relevance: .3, Instructions: 320COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f982ac9842752e2ae8259d94d30d9f94b31a4099f4ddd3f32f6def94104df6af
                                                                              • Instruction ID: a1d7d4a4d85958538d06500586a894f401cc0f0b40385e504a0fe4863b3495df
                                                                              • Opcode Fuzzy Hash: f982ac9842752e2ae8259d94d30d9f94b31a4099f4ddd3f32f6def94104df6af
                                                                              • Instruction Fuzzy Hash: 5B916C27B0892A8BE705BBBCB8556EE7BA0EFC4331B4441B7C149CB1D7CD28684687C1
                                                                              Function 00007FFD9B700A08 Relevance: .3, Instructions: 305COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1ac4228b7bbb0a1e9f2c397a49d3f246664ea7d523ea9ff57d6b52e082df64ce
                                                                              • Instruction ID: 110b06cef184357cbd6b30b299d1ea497fc3da63dea02d5b5ad82814daaa7c62
                                                                              • Opcode Fuzzy Hash: 1ac4228b7bbb0a1e9f2c397a49d3f246664ea7d523ea9ff57d6b52e082df64ce
                                                                              • Instruction Fuzzy Hash: 27815D26B0892A8BE715BBBCB8516EE7BA1EF84331B4445B7C149C71C7CD28684687C1
                                                                              Function 00007FFD9B700A10 Relevance: .3, Instructions: 301COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5b3ee596fec1e8c8fc147c421b00d82d484e244388942275586e64a9e045631a
                                                                              • Instruction ID: 74d508d5e4c3751a511dfc73a3ce7f66688f0ceba6fa065f9b2d571cc240cfb8
                                                                              • Opcode Fuzzy Hash: 5b3ee596fec1e8c8fc147c421b00d82d484e244388942275586e64a9e045631a
                                                                              • Instruction Fuzzy Hash: 5A815C26B0892B8BE715BBBCB8516EE7BA1EF84331B4441B7C149C71C7CD28684687C1
                                                                              Function 00007FFD9B700A48 Relevance: .3, Instructions: 270COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6ca2e81b82c57456412928dfaf9584fd215967372696414194429404ef54aa7e
                                                                              • Instruction ID: 8c34b4dc49956219b9281c63d92aa27bd4dd4caa8cfe0a32b0b6f4c9cc10395e
                                                                              • Opcode Fuzzy Hash: 6ca2e81b82c57456412928dfaf9584fd215967372696414194429404ef54aa7e
                                                                              • Instruction Fuzzy Hash: 26715C26B0892A8FE705BBBCB4616EE7BA1EF84331B4401B7D149C71C7CD286846C7C1
                                                                              Function 00007FFD9B700BD3 Relevance: .2, Instructions: 165COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b15d17d1ed1fb5ca8c0b77723c9fdcfcb990f8507981ea3a93061e32347a11eb
                                                                              • Instruction ID: 9125d1a173214fc16cbf14a67954a87a3fcf35f91a4f8a608a8a8f3378806b68
                                                                              • Opcode Fuzzy Hash: b15d17d1ed1fb5ca8c0b77723c9fdcfcb990f8507981ea3a93061e32347a11eb
                                                                              • Instruction Fuzzy Hash: C3512521B09A5E8FEB44FBB898616FD7BB1EF88311F4405B6D049C72D7CD28A9068781
                                                                              Function 00007FFD9B700D21 Relevance: .2, Instructions: 150COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a702cc52b28c493887699cd526c021d27c3ded35a098943c134eb3ab2974d17c
                                                                              • Instruction ID: 8666e74ffedcc9f7448b7aa9e87423d2c50c21767a7f7d2b36009d8f8ad787b6
                                                                              • Opcode Fuzzy Hash: a702cc52b28c493887699cd526c021d27c3ded35a098943c134eb3ab2974d17c
                                                                              • Instruction Fuzzy Hash: 5841D321B1890E4FEB48ABAC98697BD76D1EF98711F4002B7E01DC32D7DD286D018382
                                                                              Function 00007FFD9B700638 Relevance: .1, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5ccc43430a002b077174681fb8cdd8962eccfa85fe29fb9914eef5e612bd87b4
                                                                              • Instruction ID: a3301da910bad966cea6b4b569ee02568408885aeb32a1bc86dc462aecf9f3e6
                                                                              • Opcode Fuzzy Hash: 5ccc43430a002b077174681fb8cdd8962eccfa85fe29fb9914eef5e612bd87b4
                                                                              • Instruction Fuzzy Hash: 4731C621B1894D0FE79CEB6C946A778B7C2EF98315F0501BAE44EC32E7DD64AC418381
                                                                              Function 00007FFD9B700858 Relevance: .1, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b5163389fef59a6f6a8a86943b0ed2da97cada4530e81696838e2886eb5b46c9
                                                                              • Instruction ID: ed6992c986ca3103108eb42dfe8f07d38ef1368775737fa5fe37438ac0820a72
                                                                              • Opcode Fuzzy Hash: b5163389fef59a6f6a8a86943b0ed2da97cada4530e81696838e2886eb5b46c9
                                                                              • Instruction Fuzzy Hash: 7F31A561B496498FE75AE77894B48B93F72BF84204BC045E5D05AC72DBDD289C018781
                                                                              Function 00007FFD9B700870 Relevance: .1, Instructions: 76COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 442ae4c93ef1fe5220eec5660806dbb5cbf31e9794de79266f16db62cd1c34c9
                                                                              • Instruction ID: 2fd766880a6bfd28b0432a4ae1b8061eeda0585bf3d7a35df4cf6b1fdb01b072
                                                                              • Opcode Fuzzy Hash: 442ae4c93ef1fe5220eec5660806dbb5cbf31e9794de79266f16db62cd1c34c9
                                                                              • Instruction Fuzzy Hash: 5E219561B59A498FF75AEB7894B48B97F72BF84200BC044E5D45AC33DBDD2C9D008B82
                                                                              Function 00007FFD9B7022C1 Relevance: .0, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000013.00000002.2932688043.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_19_2_7ffd9b700000_System User.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2cf446fee81aae0ce6e5b2c4796809710645e3829574423f696fe0af30a526a6
                                                                              • Instruction ID: d3891a20a2f10878c45f5b5f12e7cbd15b531da4d46317dcd2566ad6247b275e
                                                                              • Opcode Fuzzy Hash: 2cf446fee81aae0ce6e5b2c4796809710645e3829574423f696fe0af30a526a6
                                                                              • Instruction Fuzzy Hash: 4C01D616A0EB850FE795A7B818654757FE0DF91210B0905BBE8C9C61B7EC08AA848382