Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8DiSW8IPEF.exe

Overview

General Information

Sample name:8DiSW8IPEF.exe
renamed because original name is a hash value
Original sample name:f40324b0b7698fa26e5f6ac1b96aca4a037c0ce92739bef46184e25fce617444.exe
Analysis ID:1579074
MD5:ad71876f6dfb18657b7ee257084b6c8b
SHA1:02af6c56f55066b24e85e91f8eb97a954fc545fd
SHA256:f40324b0b7698fa26e5f6ac1b96aca4a037c0ce92739bef46184e25fce617444
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 8DiSW8IPEF.exe (PID: 5972 cmdline: "C:\Users\user\Desktop\8DiSW8IPEF.exe" MD5: AD71876F6DFB18657B7EE257084B6C8B)
    • powershell.exe (PID: 6392 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4760 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '8DiSW8IPEF.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["below-judge.gl.at.ply.gg"], "Port": 36197, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
8DiSW8IPEF.exeJoeSecurity_XWormYara detected XWormJoe Security
    8DiSW8IPEF.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      8DiSW8IPEF.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xc20a:$s6: VirtualBox
      • 0xc168:$s8: Win32_ComputerSystem
      • 0xe412:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xe4af:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xe5c4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xd9ca:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2041416352.0000000000752000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.2041416352.0000000000752000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xc00a:$s6: VirtualBox
        • 0xbf68:$s8: Win32_ComputerSystem
        • 0xe212:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xe2af:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xe3c4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xd7ca:$cnc4: POST / HTTP/1.1
        00000000.00000002.4513957442.0000000002B01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          Process Memory Space: 8DiSW8IPEF.exe PID: 5972JoeSecurity_XWormYara detected XWormJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.8DiSW8IPEF.exe.750000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.0.8DiSW8IPEF.exe.750000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.0.8DiSW8IPEF.exe.750000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xc20a:$s6: VirtualBox
                • 0xc168:$s8: Win32_ComputerSystem
                • 0xe412:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xe4af:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xe5c4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xd9ca:$cnc4: POST / HTTP/1.1

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\8DiSW8IPEF.exe", ParentImage: C:\Users\user\Desktop\8DiSW8IPEF.exe, ParentProcessId: 5972, ParentProcessName: 8DiSW8IPEF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe', ProcessId: 6392, ProcessName: powershell.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\8DiSW8IPEF.exe", ParentImage: C:\Users\user\Desktop\8DiSW8IPEF.exe, ParentProcessId: 5972, ParentProcessName: 8DiSW8IPEF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe', ProcessId: 6392, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\8DiSW8IPEF.exe", ParentImage: C:\Users\user\Desktop\8DiSW8IPEF.exe, ParentProcessId: 5972, ParentProcessName: 8DiSW8IPEF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe', ProcessId: 6392, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\8DiSW8IPEF.exe", ParentImage: C:\Users\user\Desktop\8DiSW8IPEF.exe, ParentProcessId: 5972, ParentProcessName: 8DiSW8IPEF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe', ProcessId: 6392, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-20T19:13:51.515432+010028531931Malware Command and Control Activity Detected192.168.2.549993147.185.221.2436197TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 8DiSW8IPEF.exeAvira: detected
                Found malware configuration
                Source: 8DiSW8IPEF.exeMalware Configuration Extractor: Xworm {"C2 url": ["below-judge.gl.at.ply.gg"], "Port": 36197, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                Multi AV Scanner detection for submitted file
                Source: 8DiSW8IPEF.exeReversingLabs: Detection: 78%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 8DiSW8IPEF.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 8DiSW8IPEF.exeString decryptor: below-judge.gl.at.ply.gg
                Source: 8DiSW8IPEF.exeString decryptor: 36197
                Source: 8DiSW8IPEF.exeString decryptor: <123456789>
                Source: 8DiSW8IPEF.exeString decryptor: <Xwormmm>
                Source: 8DiSW8IPEF.exeString decryptor: XWorm V5.6
                Source: 8DiSW8IPEF.exeString decryptor: USB.exe
                Source: 8DiSW8IPEF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 8DiSW8IPEF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49870 -> 147.185.221.24:36197
                Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49993 -> 147.185.221.24:36197
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: below-judge.gl.at.ply.gg
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 147.185.221.24 ports 36197,1,3,6,7,9
                Yara detected Generic Downloader
                Source: Yara matchFile source: 8DiSW8IPEF.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.8DiSW8IPEF.exe.750000.0.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.5:49721 -> 147.185.221.24:36197
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                Source: unknownDNS query: name: ip-api.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: ip-api.com
                Source: global trafficDNS traffic detected: DNS query: below-judge.gl.at.ply.gg
                Source: powershell.exe, 00000005.00000002.2272644336.000001A0C5A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: powershell.exe, 00000005.00000002.2272644336.000001A0C5A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro/pki/crl/productCerAut_2010-06-2
                Source: powershell.exe, 00000005.00000002.2273917979.000001A0C5B1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                Source: 8DiSW8IPEF.exeString found in binary or memory: http://ip-api.com/line/?fields=hosting
                Source: powershell.exe, 00000002.00000002.2150321970.00000289F110E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2255606853.000001A0BD4AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000005.00000002.2194268594.000001A0AD669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000002.00000002.2133056522.00000289E12C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2194268594.000001A0AD669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: 8DiSW8IPEF.exe, 00000000.00000002.4513957442.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2133056522.00000289E10A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2194268594.000001A0AD441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000002.00000002.2133056522.00000289E12C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2194268594.000001A0AD669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: powershell.exe, 00000005.00000002.2194268594.000001A0AD669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000005.00000002.2272644336.000001A0C5A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pki/certs/Miut_2010-06-23.cr
                Source: powershell.exe, 00000002.00000002.2133056522.00000289E10A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2194268594.000001A0AD441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000005.00000002.2255606853.000001A0BD4AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000005.00000002.2255606853.000001A0BD4AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000005.00000002.2255606853.000001A0BD4AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000005.00000002.2194268594.000001A0AD669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000002.00000002.2157144230.00000289F97DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.535c
                Source: powershell.exe, 00000002.00000002.2150321970.00000289F110E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2255606853.000001A0BD4AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                Operating System Destruction

                barindex
                Protects its processes via BreakOnTermination flag
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: 01 00 00 00 Jump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 8DiSW8IPEF.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.0.8DiSW8IPEF.exe.750000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000000.2041416352.0000000000752000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeCode function: 0_2_00007FF848F216F10_2_00007FF848F216F1
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeCode function: 0_2_00007FF848F265E20_2_00007FF848F265E2
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeCode function: 0_2_00007FF848F258360_2_00007FF848F25836
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeCode function: 0_2_00007FF848F2352D0_2_00007FF848F2352D
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeCode function: 0_2_00007FF848F250350_2_00007FF848F25035
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FD30E92_2_00007FF848FD30E9
                Source: 8DiSW8IPEF.exe, 00000000.00000000.2041416352.0000000000752000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameimpact.exe4 vs 8DiSW8IPEF.exe
                Source: 8DiSW8IPEF.exeBinary or memory string: OriginalFilenameimpact.exe4 vs 8DiSW8IPEF.exe
                Source: 8DiSW8IPEF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 8DiSW8IPEF.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.0.8DiSW8IPEF.exe.750000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000000.2041416352.0000000000752000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 8DiSW8IPEF.exe, ZZkG9NKs0LxSpr.csCryptographic APIs: 'TransformFinalBlock'
                Source: 8DiSW8IPEF.exe, ZZkG9NKs0LxSpr.csCryptographic APIs: 'TransformFinalBlock'
                Source: 8DiSW8IPEF.exe, ZPQafKFduVZFw5.csCryptographic APIs: 'TransformFinalBlock'
                Source: 8DiSW8IPEF.exe, mbCjkEvVWbZuNm.csBase64 encoded string: 'vlTV3eWBj7T26ISQVr1d0c6Fh4dVymdK8wCrlnwMNdtofqaavrPLUiTpocAu1wtW'
                Source: classification engineClassification label: mal100.troj.evad.winEXE@7/9@2/2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5512:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5368:120:WilError_03
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeMutant created: \Sessions\1\BaseNamedObjects\f4nKuc4ONzcfBn4j
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuiu34j4.fsm.ps1Jump to behavior
                Source: 8DiSW8IPEF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 8DiSW8IPEF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 8DiSW8IPEF.exeReversingLabs: Detection: 78%
                Source: unknownProcess created: C:\Users\user\Desktop\8DiSW8IPEF.exe "C:\Users\user\Desktop\8DiSW8IPEF.exe"
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '8DiSW8IPEF.exe'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe'Jump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '8DiSW8IPEF.exe'Jump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: 8DiSW8IPEF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 8DiSW8IPEF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 8DiSW8IPEF.exe, anTweaskzlIvg0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{MhSDVQHTKlzBWJGz2DNtsU2O28e4jYrds74ppCPdIMNpxkCwJfwo0r51tglFyYUTuoQGx3lt.z2IHhT0X33ydY6AV0guU11IiMHaiuVOEm0YeVwRqI8uJqXQuXMeJjDPkB3qgBqiOPuQ6eUuJ,MhSDVQHTKlzBWJGz2DNtsU2O28e4jYrds74ppCPdIMNpxkCwJfwo0r51tglFyYUTuoQGx3lt.LcX5ePoSIxCADbdghfUJnIGF6olf0LJijYQ1TTe2sN3fz3heRfDgjPuZt9ZTdBp51AlE2Gi5,MhSDVQHTKlzBWJGz2DNtsU2O28e4jYrds74ppCPdIMNpxkCwJfwo0r51tglFyYUTuoQGx3lt.Gp7ydu7yoA3QaeDaj3zJTetiFriY96MwQmC1z5kLzItqhzVyU2V9n3ilcVDYXJwuMjVQWvHi,MhSDVQHTKlzBWJGz2DNtsU2O28e4jYrds74ppCPdIMNpxkCwJfwo0r51tglFyYUTuoQGx3lt.uit586YT3QPMqX26ROa4AfotfzjXwGI4oNpGktgs4wVwVnZUfdL5cE1xvdsOqbMt3fMs9TNk,ZZkG9NKs0LxSpr._1Xddxq6HMqwUIP()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 8DiSW8IPEF.exe, anTweaskzlIvg0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{WfM4waw9Cy9F5T[2],ZZkG9NKs0LxSpr.x4FSTmjugVWCfy(Convert.FromBase64String(WfM4waw9Cy9F5T[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: 8DiSW8IPEF.exe, anTweaskzlIvg0.cs.Net Code: jYAk32YcdaqG4z System.AppDomain.Load(byte[])
                Source: 8DiSW8IPEF.exe, anTweaskzlIvg0.cs.Net Code: FxUuLXjM0PFudf System.AppDomain.Load(byte[])
                Source: 8DiSW8IPEF.exe, anTweaskzlIvg0.cs.Net Code: FxUuLXjM0PFudf
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848DED2A5 pushad ; iretd 2_2_00007FF848DED2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FD2316 push 8B485F95h; iretd 2_2_00007FF848FD231B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848E0D2A5 pushad ; iretd 5_2_00007FF848E0D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F219DB pushad ; ret 5_2_00007FF848F219E9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848FF2316 push 8B485F93h; iretd 5_2_00007FF848FF231B
                Source: 8DiSW8IPEF.exe, MhSDVQHTKlzBWJGz2DNtsU2O28e4jYrds74ppCPdIMNpxkCwJfwo0r51tglFyYUTuoQGx3lt.csHigh entropy of concatenated method names: 'SgvOUOIGKqHSAIxN5qI0PUTwaQmhhkKknFKANM4sNq1tMb', 'UJ66ZbDAjDoL3wHt8ytOWzDbUN9xxcaUegnT8qYyVt0e32', 'Sk8YcUZ9B28KeNu2ZLq71Z5EJKk5RZhyY3fLXXpk31AcB9', 'IEmSzBkHSiOAJqIwBjCuj1BGg4qWy1ShLZFgpJW8ePFbsz'
                Source: 8DiSW8IPEF.exe, mbCjkEvVWbZuNm.csHigh entropy of concatenated method names: 'wo8Aukm9aWv261', 'H6QBvQT1z9Ju9g', 'LMenTcqHk9U6Ed', 'codrBZ3lxEFNs6H5oSPsQbGq7JpahzY1', 'fgNBQKt7QzGLEWIi9OfxC1blgr82GcG9', 'aairXWuSrFwcwE5PDGbhHcPqGDKlOSCfM4ZNQuc9pM7oSTDqFJd4ixNJcy4FO8E6', 'uGTpc0nalYSOm3e584Uvr2OiL6FEigUQ9Y1gU1Ls7YUm0g4uQnXA7IWmtP60zC4o', 'MIzEPvQcYsLKvrx14Sika0aYp191A6lj745tD1iuPeM612uznyMr6uEGxwdjV83t', '_1huScwtbOiLVJ8DviTpKOEwkQN2AzoHy9PAqX1auwz03VP4RZN7GsVeO4OW7rLUu', 'mbrfRiWaJervw6vIQwhKZvkMuPgPmbHeA9wVK4OHbvyhZ7liLS19KfB20Ac1AaBC'
                Source: 8DiSW8IPEF.exe, ysfimWpWwMNADDTZikZODiKUfiMJV3OcioJab0x4l8CzPVSIOItoaFXyi4uFDyGmg3O3zLpH.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'wxBB2IOcMYhpM2AV5Wa35TLsMbHjAtpefGtUfIEUVFGi2u', '_5qNkuI2qjHM8X0kdtdMZcaJTURcjVEB1ZOhZF0B7WVm4m5', 'R5ezp4U18riYgISXTNdiwT9JI6kCSCeEi3XjNcCBjZTh4Z', 'hpuD0cAled9bikZdc33wSfQNMBHkKrOaFytxTl1Ime4Gua'
                Source: 8DiSW8IPEF.exe, nK4ehUIWEOVWLS.csHigh entropy of concatenated method names: 'Ki6ZBnvKJIWhVa', '_3sWOCmprjdK2htbqCBxuTf3hTsKoZMfa', '_0xfQMqHcQF4MhSPTQA8GqAiHb1Nd143C', 'eYhCf2uvkFO5SxiLzrzjue6Lt4TWIhVY', 'b2eg3Wo6qkGLpR4F34xgZpZ7XFlMEaBL'
                Source: 8DiSW8IPEF.exe, anTweaskzlIvg0.csHigh entropy of concatenated method names: 'ann7VbSVmWzWW5', 'jYAk32YcdaqG4z', '_0XH4hpNY2H3C6e', 'TfDJ2RMrjwz1dN', '_74DFNdWtInLW3H', 'AetdMXnmzrasCR', 'EV5eRj6LUFIlbY', 'FANOMtcKPSkBM7', 'nfkVJveTHk4GcN', 'RE6OyjhsWV7ltA'
                Source: 8DiSW8IPEF.exe, sh9tYNvmpCjl2ESuoiy8lvFqLr0B10oG3mxS9XzJrrX9q2dc8lIyqhriOPTbavHSjkxK6OTG.csHigh entropy of concatenated method names: 'xJWxL0g7DcidlfN5PIQsg9B7GYJ4SndiiLUAHyD9o2NC5aKbL6iqC4F7fiwrR3hERCsuqpbj', 'OGb3KV8ZkIl49P', 'upfzWwN83cNQyA', 'sSJeUYtYxn3elF', 'w0DYbFQYerbptR', 'd5tbrxTtz67Qdu', 'NKhze3SvoBHhgR', '_1El66tzvLG5uvI', 'x7aHNCv56K2PqE', '_5YAKg7PReUL388'
                Source: 8DiSW8IPEF.exe, k4KSn8kCF88pudtji3RWppS4ihHs5GAQnZRCMpjX20agMnoSwMJPRKhU23DmVaIePzRT8HqO.csHigh entropy of concatenated method names: 'xToDq7HvdlsCMFl5KjbF1yQZmHeZsmY9ujqJsw0oXKGH2wakFhTbZK3oQ1p6GHmez0mn90wH', 'ZeXtbblsYrYbnbRjeQ1r1cDzWkoOpH8lDoNSrTR76ewaccuywZhgY4YpzvhxmkE2iRzML2dp', 'SMan2ewtelGmSRjWW53TDSGq46eHquRuJGiYICexr1qH6kGvbuLhWnlbSz187g55VeI6DJSr', 'rcsLYZZiCBpbINlugT7DLR93eaupySY5SmmKkPfx0HoCLYddJHUJP82JeDBd0dcYnNBkPS87', 'YksFVxUSQ4jxnKuYzUGee14l1QZevW4izdm70sXFRzoTL05zDGmP7F9PdzDkosShopYRE0JA', 'jnGDp6rjtN6ouBNjn0nv7BPm83RxCIfwMZN2noRo2SoCeS4lhoez2PitzIPXgfOhw6QBqfN3', 'x0sH2JQ7ILedELc53WPbq1dhL9jL3Zkj4ycYrQAfgyKACtRFHTJtupOV7x5NkNVgBBHKa1a6', 'ajw0OmWRHSi60Y7k8HsQDVm673mIzftUwsaJXIXT5Nnublek60MmXlrookHWMYmFXPggNTQs', 'vGidivSoZ4JzRXbZsMkxADxg5IHjNubzLGhSIkBzHfWjpXMsFPatBs31dJjC861eY5BSrE5j', 'L3Plt2MVDTYghCztsei3ntI9OIrarBVzL5hVa3nM0XpvAXvIG2biMKQIzeFy1lBf5Az8o3DA'
                Source: 8DiSW8IPEF.exe, ZZkG9NKs0LxSpr.csHigh entropy of concatenated method names: 'IxmxD2DFxausGE', '_7lErSWm8LlifDK', 'wCCabbw0tebHrx', 'hZqPnsCUB2EXjJ', 'hJLplSmXh07tK7', 'fjkRy3UthqfdAW', 'LcRq7pnlKfyRrY', 'FbRrifAR9lbm2P', '_2IS1yBztrhpltj', 'Sr7MlY0tQ3NjBi'
                Source: 8DiSW8IPEF.exe, ZPQafKFduVZFw5.csHigh entropy of concatenated method names: 'kIJajxMgASeRCO', 'Da05IsRp6VpCjXxMUmAjCV6Dcoi2vsNd', 'KMW1H6sa1yHH5cLKwvtozwasTvPvMQMV', 'D6vytnj8em9NELqluvE0imYJpXar4Cw1', 'xhh8xEO4QAPTboLlqp7sv55J3KVwZjgB'
                Source: 8DiSW8IPEF.exe, PI2h1sOblfZgJd.csHigh entropy of concatenated method names: 'AlSgNJCOMAYCQ2', 'DcgxEhou6TfOs0', 'L99xCScPVF9Fcf', 'BjH5c7V4nFltuH', 'QihMZuw9ivSmBsmLcb75izuNJA0FObu1', 'YbWspRzJwwtrQHpCxC4LpMxVamHG6OtP', '_1FJust6Xc4PGlAM8x2RwJ9axQXn5TN1K', 'zGdpTOoADWfAP005e5GZbkJ5t7riFfZJ', '_9caxKXbSUbaT5aaw7Cfjezd4TLngEOkr', 'L01nSY2P28WAWkIX6ANSG9tWNPewGkIw'
                Source: 8DiSW8IPEF.exe, v7430WmZ3869yT.csHigh entropy of concatenated method names: 'b3R68ALL35yCpu', 'XPzbWzIPMrsNnr', 'ERMKl6TGpYnfHK', 'nPZ4bcLNCv3udL', 'pLaALWPqyBZnoF', 'U60cw4HXIrhQ5l', 'phCiJxOq91mRYO', 'eFBLom5kzaxrEu', 'PtkHT15Mf3tKv7', 'jph2fFB8fqhnoW'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Check if machine is in data center or colocation facility
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: 8DiSW8IPEF.exe, 00000000.00000002.4513957442.0000000002B01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: 8DiSW8IPEF.exeBinary or memory string: SBIEDLL.DLL]GS0AXLWG9OBLI5AO2RIZHLO6DRP3DVSDVTS1PZDSQZZMVG]PWANNYSH8FV2QIMJPH71NCGEGMPFWLMCQGHBUYJHMSGCMT]OGAFYKK3PNKRGZ5RWNRCHSYOCOP42AL7KI5BTLUB3H0T7W]XSRMO2B4KHD61PFHYXLU6AS19KGRSNF5TQBBTMCTEOBGE9]W1EUDUAGXCI1A1RQKNEE4UUTHY7BGMLGLY4YVTGSY26URM]TP0TFAPYQJ8ZT5SE7PF1TITRCJNXLSHMLG8CBAOQF3JL8F]VJIIOOGE07TPLQO8LTPET2QO6IWS9WXKWRETNF0IA0O1HL]COEM0CPVEJOE8OEAZS8W87JMFISBSWZJKRRT4UDO5TMXHQ]BM5DWNEPLZ4CRLB2NZVJEHO1XV8CARRM3KEG9FENDRJOS6]W0LKOYUY9IWMWHMOG4VW3LKYUXNZBZNN67YVLHMUVUSVJP]5YWIUW6NZWQSFAVPWRVAUMDAT2PNYF9U93XRWIHGD8KCWT]LTMCSHGI1V0A5ZCAVNTZ4NNKFB5FCO3AF05R9RJXBVFWM2]SW0DGLTW4WTYJKFZLH2WH8YIAGMNMRIFXW3IGFPELGZXWJ]JDYLNEFRX1XUWRDL5CBS8XWMGB8I9JRFU7UF0U90T8HM9SINFO
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeMemory allocated: CA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeMemory allocated: 1AB00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWindow / User API: threadDelayed 7185Jump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWindow / User API: threadDelayed 2661Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6767Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2933Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7501Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2036Jump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exe TID: 1992Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3304Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3996Thread sleep count: 7501 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 428Thread sleep count: 2036 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 8DiSW8IPEF.exeBinary or memory string: vmware
                Source: 8DiSW8IPEF.exe, 00000000.00000002.4532050738.000000001B960000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeCode function: 0_2_00007FF848F26DE1 CheckRemoteDebuggerPresent,0_2_00007FF848F26DE1
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe'
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe'Jump to behavior
                Bypasses PowerShell execution policy
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe'
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe'Jump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '8DiSW8IPEF.exe'Jump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeQueries volume information: C:\Users\user\Desktop\8DiSW8IPEF.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: 8DiSW8IPEF.exe, 00000000.00000002.4532050738.000000001B960000.00000004.00000020.00020000.00000000.sdmp, 8DiSW8IPEF.exe, 00000000.00000002.4532050738.000000001B9BB000.00000004.00000020.00020000.00000000.sdmp, 8DiSW8IPEF.exe, 00000000.00000002.4511205342.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, 8DiSW8IPEF.exe, 00000000.00000002.4532050738.000000001BA06000.00000004.00000020.00020000.00000000.sdmp, 8DiSW8IPEF.exe, 00000000.00000002.4511205342.0000000000D7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\8DiSW8IPEF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 8DiSW8IPEF.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.8DiSW8IPEF.exe.750000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2041416352.0000000000752000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4513957442.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 8DiSW8IPEF.exe PID: 5972, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 8DiSW8IPEF.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.8DiSW8IPEF.exe.750000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2041416352.0000000000752000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4513957442.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 8DiSW8IPEF.exe PID: 5972, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		11
                Process Injection                		11
                Disable or Modify Tools                		OS Credential Dumping441
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		151
                Virtualization/Sandbox Evasion                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Process Injection                		Security Account Manager151
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Obfuscated Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging12
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Software Packing                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSync23
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                8DiSW8IPEF.exe79%ReversingLabsWin32.Exploit.Xworm
                8DiSW8IPEF.exe100%AviraTR/Spy.Gen
                8DiSW8IPEF.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                below-judge.gl.at.ply.gg
                		147.185.221.24
                		truetrue
                  		unknown
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    below-judge.gl.at.ply.ggtrue
                      		unknown
                      http://ip-api.com/line/?fields=hostingfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2150321970.00000289F110E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2255606853.000001A0BD4AF000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://crl.micropowershell.exe, 00000005.00000002.2272644336.000001A0C5A82000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2194268594.000001A0AD669000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2133056522.00000289E12C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2194268594.000001A0AD669000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://crl.microsoftpowershell.exe, 00000005.00000002.2273917979.000001A0C5B1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2194268594.000001A0AD669000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2133056522.00000289E12C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2194268594.000001A0AD669000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/powershell.exe, 00000005.00000002.2255606853.000001A0BD4AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2150321970.00000289F110E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2255606853.000001A0BD4AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.micro/pki/crl/productCerAut_2010-06-2powershell.exe, 00000005.00000002.2272644336.000001A0C5A82000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://contoso.com/Licensepowershell.exe, 00000005.00000002.2255606853.000001A0BD4AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000005.00000002.2255606853.000001A0BD4AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://ion=v4.535cpowershell.exe, 00000002.00000002.2157144230.00000289F97DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2133056522.00000289E10A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2194268594.000001A0AD441000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8DiSW8IPEF.exe, 00000000.00000002.4513957442.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2133056522.00000289E10A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2194268594.000001A0AD441000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.micom/pki/certs/Miut_2010-06-23.crpowershell.exe, 00000005.00000002.2272644336.000001A0C5A82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2194268594.000001A0AD669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          208.95.112.1
                                                          		ip-api.comUnited States
                                                          		53334TUT-ASUSfalse
                                                          147.185.221.24
                                                          		below-judge.gl.at.ply.ggUnited States
                                                          		12087SALSGIVERUStrue

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1579074
                                                          Start date and time:2024-12-20 19:10:09 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 7m 57s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:9
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:8DiSW8IPEF.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:f40324b0b7698fa26e5f6ac1b96aca4a037c0ce92739bef46184e25fce617444.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@7/9@2/2
                                                          EGA Information:
                                                          • Successful, ratio: 33.3%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 27
                                                          • Number of non-executed functions: 4
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 4760 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 6392 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                          • VT rate limit hit for: 8DiSW8IPEF.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          13:11:07API Interceptor39x Sleep call for process: powershell.exe modified
                                                          13:11:26API Interceptor12433159x Sleep call for process: 8DiSW8IPEF.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          208.95.112.1YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          dlhost.exeGet hashmaliciousXWormBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                          • ip-api.com/json
                                                          xt.exeGet hashmaliciousXWormBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                          • ip-api.com/json
                                                          roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                          • ip-api.com/json

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ip-api.comYgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • 208.95.112.1
                                                          KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 208.95.112.1
                                                          DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          dlhost.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                          • 208.95.112.1
                                                          xt.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                          • 208.95.112.1
                                                          roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                          • 208.95.112.1

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          TUT-ASUSYgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • 208.95.112.1
                                                          KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 208.95.112.1
                                                          file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                          • 208.95.112.1
                                                          DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          dlhost.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                          • 208.95.112.1
                                                          xt.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                          • 208.95.112.1
                                                          SALSGIVERUSYgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • 147.185.221.18
                                                          dr2YKJiGH9.exeGet hashmaliciousXWormBrowse
                                                          • 147.185.221.23
                                                          KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                          • 147.185.221.24
                                                          PjGz899RZV.exeGet hashmaliciousXWormBrowse
                                                          • 147.185.221.24
                                                          ehxF3rusxJ.exeGet hashmaliciousXWormBrowse
                                                          • 147.185.221.24
                                                          loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                          • 147.184.134.130
                                                          Client-built-Playit.exeGet hashmaliciousQuasarBrowse
                                                          • 147.185.221.24
                                                          PowerRat.exeGet hashmaliciousAsyncRATBrowse
                                                          • 147.185.221.211
                                                          file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                          • 147.185.221.24
                                                          msedge.exeGet hashmaliciousXWormBrowse
                                                          • 147.185.221.22

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):0.34726597513537405
                                                          Encrypted:false
                                                          SSDEEP:3:Nlll:Nll
                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:@...e...........................................................

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11j5pwt3.l32.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1v3vvd5n.22f.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3nrirtkv.imd.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_isk4g3hk.nd4.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ost033aq.fc2.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjqk3ny2.b12.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhasmhsk.jeo.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuiu34j4.fsm.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):5.8778689612041255
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          File name:8DiSW8IPEF.exe
                                                          File size:66'560 bytes
                                                          MD5:ad71876f6dfb18657b7ee257084b6c8b
                                                          SHA1:02af6c56f55066b24e85e91f8eb97a954fc545fd
                                                          SHA256:f40324b0b7698fa26e5f6ac1b96aca4a037c0ce92739bef46184e25fce617444
                                                          SHA512:f57a95a15de16f3ded4979aeb93f820222d40da6ca63b515ec73211deb09b8be23a6fe21b76ee89cc3583fb5ce3d348e16c467fc1bb493308366a19a89f3f24a
                                                          SSDEEP:1536:zZ+dcvTkbb4zx+C3HkL9jcz+lzbTfpBPKbu63SOJj9QAVyS+:VdQwzR0L9gzcb7pYbSOJKAVg
                                                          TLSH:47534B2877F14515F1FFAFF06DF27122C776B6235902E65F2498428A0723A88CE166F9
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.dg................................. ... ....@.. .......................`............@................................

                                                          File Icon

                                                          Icon Hash:00928e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x41181e
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x6764B232 [Thu Dec 19 23:54:26 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x117cc0x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x4ce.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000xf8240xfa008a436995219a4bca5a71cdc12a823849False0.59365625data5.959257057430584IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x120000x4ce0x600d31e83d571e4a0c2c24ce1a115352655False0.373046875data3.7069016765347786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x140000xc0x20072a3c8f9a8c07c217f62ec51bb94d9a5False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_VERSION0x120a00x244data0.4706896551724138
                                                          RT_MANIFEST0x122e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-12-20T19:12:32.301021+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549870147.185.221.2436197TCP
                                                          2024-12-20T19:13:51.515432+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549993147.185.221.2436197TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 20, 2024 19:11:06.183303118 CET4970480192.168.2.5208.95.112.1
                                                          Dec 20, 2024 19:11:06.304714918 CET8049704208.95.112.1192.168.2.5
                                                          Dec 20, 2024 19:11:06.304932117 CET4970480192.168.2.5208.95.112.1
                                                          Dec 20, 2024 19:11:06.305644035 CET4970480192.168.2.5208.95.112.1
                                                          Dec 20, 2024 19:11:06.425225973 CET8049704208.95.112.1192.168.2.5
                                                          Dec 20, 2024 19:11:07.457724094 CET8049704208.95.112.1192.168.2.5
                                                          Dec 20, 2024 19:11:07.499345064 CET4970480192.168.2.5208.95.112.1
                                                          Dec 20, 2024 19:11:27.338417053 CET4972136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:27.457990885 CET3619749721147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:27.458153963 CET4972136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:27.522846937 CET4972136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:27.642606974 CET3619749721147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:32.882323980 CET3619749721147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:32.882396936 CET4972136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:34.311916113 CET4972136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:34.314064980 CET4974036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:34.431649923 CET3619749721147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:34.433793068 CET3619749740147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:34.433902025 CET4974036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:34.452821016 CET4974036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:34.572506905 CET3619749740147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:39.971576929 CET3619749740147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:39.971719980 CET4974036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:43.687083960 CET4974036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:43.690502882 CET4976236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:43.806875944 CET3619749740147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:43.810152054 CET3619749762147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:43.810278893 CET4976236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:43.828644991 CET4976236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:43.948412895 CET3619749762147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:49.205214977 CET3619749762147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:49.205646992 CET4976236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:52.358947039 CET4976236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:52.360449076 CET4978336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:52.478650093 CET3619749762147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:52.480036020 CET3619749783147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:52.480158091 CET4978336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:52.499195099 CET4978336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:11:52.619384050 CET3619749783147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:58.009124041 CET3619749783147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:11:58.009228945 CET4978336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:01.827698946 CET4978336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:01.832505941 CET4980536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:01.947371960 CET3619749783147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:01.952068090 CET3619749805147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:01.955770016 CET4980536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:01.972126961 CET4980536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:02.091701984 CET3619749805147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:08.127938986 CET3619749805147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:08.128038883 CET4980536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:08.999484062 CET4980536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:09.001307964 CET4982236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:09.119410992 CET3619749805147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:09.121155024 CET3619749822147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:09.121278048 CET4982236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:09.139004946 CET4982236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:09.258712053 CET3619749822147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:12.330498934 CET8049704208.95.112.1192.168.2.5
                                                          Dec 20, 2024 19:12:12.330605030 CET4970480192.168.2.5208.95.112.1
                                                          Dec 20, 2024 19:12:14.472623110 CET3619749822147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:14.472729921 CET4982236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:15.328810930 CET4982236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:15.331105947 CET4983836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:15.449266911 CET3619749822147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:15.451893091 CET3619749838147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:15.451992989 CET4983836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:15.495932102 CET4983836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:15.615776062 CET3619749838147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:23.139962912 CET3619749838147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:23.140086889 CET4983836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:23.281239033 CET4983836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:23.335834980 CET4985836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:23.401199102 CET3619749838147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:23.455497026 CET3619749858147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:23.455581903 CET4985836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:23.474983931 CET4985836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:23.594618082 CET3619749858147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:28.833039999 CET3619749858147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:28.833134890 CET4985836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:28.843441963 CET4985836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:28.846702099 CET4987036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:28.963128090 CET3619749858147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:28.966291904 CET3619749870147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:28.966373920 CET4987036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:28.984941959 CET4987036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:29.104686022 CET3619749870147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:32.301021099 CET4987036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:32.420464993 CET3619749870147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:33.422852039 CET4987036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:33.542356014 CET3619749870147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:34.329360008 CET3619749870147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:34.329426050 CET4987036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:36.343127966 CET4987036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:36.345622063 CET4989036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:36.462873936 CET3619749870147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:36.465286016 CET3619749890147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:36.465451956 CET4989036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:36.503561974 CET4989036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:36.623202085 CET3619749890147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:36.623266935 CET4989036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:36.743061066 CET3619749890147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:40.939409018 CET4989036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:41.059073925 CET3619749890147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:43.145589113 CET3619749890147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:43.145683050 CET4989036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:46.655611992 CET4989036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:46.658468008 CET4991636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:46.775173903 CET3619749890147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:46.778059006 CET3619749916147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:46.778243065 CET4991636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:46.814785957 CET4991636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:46.934279919 CET3619749916147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:47.470581055 CET4970480192.168.2.5208.95.112.1
                                                          Dec 20, 2024 19:12:47.590034008 CET8049704208.95.112.1192.168.2.5
                                                          Dec 20, 2024 19:12:52.166882992 CET3619749916147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:52.166979074 CET4991636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:57.046348095 CET4991636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:57.049083948 CET4993736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:57.165977001 CET3619749916147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:57.169029951 CET3619749937147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:57.169161081 CET4993736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:57.239936113 CET4993736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:57.359565973 CET3619749937147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:12:57.359658957 CET4993736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:12:57.479286909 CET3619749937147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:02.540095091 CET3619749937147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:02.540160894 CET4993736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:02.611244917 CET4993736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:02.614809990 CET4995136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:02.730799913 CET3619749937147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:02.734342098 CET3619749951147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:02.734471083 CET4995136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:02.780217886 CET4995136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:02.900044918 CET3619749951147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:02.903750896 CET4995136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:03.023332119 CET3619749951147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:08.212374926 CET3619749951147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:08.212450981 CET4995136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:08.390048981 CET4995136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:08.392541885 CET4996736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:08.509630919 CET3619749951147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:08.512093067 CET3619749967147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:08.512196064 CET4996736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:08.561696053 CET4996736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:08.681274891 CET3619749967147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:11.032305956 CET4996736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:11.151896000 CET3619749967147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:12.624584913 CET4996736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:12.746364117 CET3619749967147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:13.906099081 CET4996736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:14.025777102 CET3619749967147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:14.025840044 CET4996736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:14.118191004 CET3619749967147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:14.118264914 CET4996736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:14.118324995 CET4996736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:14.120425940 CET4997936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:14.145379066 CET3619749967147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:14.237798929 CET3619749967147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:14.237812996 CET3619749967147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:14.240051031 CET3619749979147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:14.240130901 CET4997936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:14.276878119 CET4997936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:14.396506071 CET3619749979147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:14.396578074 CET4997936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:14.516253948 CET3619749979147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:14.516319990 CET4997936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:14.635891914 CET3619749979147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:16.140362978 CET4997936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:16.260039091 CET3619749979147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:20.010083914 CET3619749979147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:20.010557890 CET4997936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:24.813692093 CET4997936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:24.814835072 CET4999136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:24.933132887 CET3619749979147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:24.935123920 CET3619749991147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:24.935210943 CET4999136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:24.974458933 CET4999136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:25.094010115 CET3619749991147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:25.094068050 CET4999136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:25.214462042 CET3619749991147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:25.214534998 CET4999136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:25.334094048 CET3619749991147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:27.218547106 CET4999136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:27.338027000 CET3619749991147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:30.462976933 CET3619749991147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:30.463078976 CET4999136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:35.405636072 CET4999136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:35.409270048 CET4999236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:35.525842905 CET3619749991147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:35.529591084 CET3619749992147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:35.529665947 CET4999236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:35.572382927 CET4999236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:35.691848040 CET3619749992147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:35.691976070 CET4999236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:35.811728954 CET3619749992147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:35.812525034 CET4999236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:35.932188034 CET3619749992147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:35.937087059 CET4999236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:36.056647062 CET3619749992147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:40.908977032 CET3619749992147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:40.909044027 CET4999236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:40.986145973 CET4999236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:40.989095926 CET4999336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:41.105937004 CET3619749992147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:41.108671904 CET3619749993147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:41.108748913 CET4999336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:41.150340080 CET4999336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:41.270495892 CET3619749993147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:41.270603895 CET4999336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:41.390315056 CET3619749993147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:42.672169924 CET4999336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:42.791881084 CET3619749993147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:43.749628067 CET4999336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:43.869548082 CET3619749993147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:48.269731998 CET4999336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:48.389466047 CET3619749993147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:51.515431881 CET4999336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:51.635457039 CET3619749993147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:57.405934095 CET4999336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:57.526643991 CET3619749993147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:13:57.526694059 CET4999336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:13:57.646217108 CET3619749993147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:07.093439102 CET3619749993147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:07.093504906 CET4999336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:07.452522993 CET4999336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:07.455269098 CET4999436197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:07.572143078 CET3619749993147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:07.575001955 CET3619749994147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:07.575076103 CET4999436197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:07.613483906 CET4999436197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:07.733273029 CET3619749994147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:07.733319044 CET4999436197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:07.854990005 CET3619749994147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:07.855149031 CET4999436197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:07.977585077 CET3619749994147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:12.905949116 CET3619749994147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:12.906105995 CET4999436197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:12.906510115 CET4999436197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:12.908373117 CET4999536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:13.026957035 CET3619749994147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:13.028651953 CET3619749995147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:13.028768063 CET4999536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:13.063412905 CET4999536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:13.183126926 CET3619749995147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:13.202706099 CET4999536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:13.322431087 CET3619749995147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:13.703008890 CET4999536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:13.822709084 CET3619749995147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:16.173719883 CET4999536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:16.293200970 CET3619749995147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:18.433183908 CET3619749995147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:18.433296919 CET4999536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:23.374625921 CET4999536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:23.377099991 CET4999636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:23.494062901 CET3619749995147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:23.496609926 CET3619749996147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:23.496704102 CET4999636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:23.530968904 CET4999636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:23.650635004 CET3619749996147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:23.650696993 CET4999636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:23.770196915 CET3619749996147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:23.770245075 CET4999636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:23.889767885 CET3619749996147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:23.889894009 CET4999636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:24.009442091 CET3619749996147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:24.009630919 CET4999636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:24.129416943 CET3619749996147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:29.190546989 CET3619749996147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:29.190700054 CET4999636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:33.924462080 CET4999636197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:33.927026033 CET4999736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:34.044198990 CET3619749996147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:34.046542883 CET3619749997147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:34.046654940 CET4999736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:34.147403955 CET4999736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:34.266990900 CET3619749997147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:36.515269995 CET4999736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:36.634887934 CET3619749997147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:39.265535116 CET4999736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:39.385191917 CET3619749997147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:39.385262012 CET4999736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:39.428241014 CET3619749997147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:39.428308010 CET4999736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:39.428340912 CET4999736197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:39.429857016 CET4999836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:39.504854918 CET3619749997147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:39.548099041 CET3619749997147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:39.548110962 CET3619749997147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:39.549695015 CET3619749998147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:39.549803019 CET4999836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:39.583112955 CET4999836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:39.702672005 CET3619749998147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:39.702794075 CET4999836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:39.822597980 CET3619749998147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:44.926407099 CET3619749998147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:44.926501989 CET4999836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:49.874402046 CET4999836197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:49.877007961 CET4999936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:49.994093895 CET3619749998147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:49.996649981 CET3619749999147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:49.996726036 CET4999936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:50.030890942 CET4999936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:50.150537014 CET3619749999147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:55.354024887 CET3619749999147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:55.354099035 CET4999936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:55.593229055 CET4999936197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:55.596256971 CET5000036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:55.712829113 CET3619749999147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:55.715789080 CET3619750000147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:14:55.715910912 CET5000036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:55.751060963 CET5000036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:14:55.870637894 CET3619750000147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:01.069931984 CET3619750000147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:01.070266962 CET5000036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:05.798279047 CET5000036197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:05.803668976 CET5000136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:05.919075012 CET3619750000147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:05.925834894 CET3619750001147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:05.925965071 CET5000136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:05.962979078 CET5000136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:06.086786032 CET3619750001147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:06.782541037 CET5000136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:06.904359102 CET3619750001147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:11.270129919 CET3619750001147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:11.270209074 CET5000136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:16.859021902 CET5000136197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:16.863636971 CET5000236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:16.978667021 CET3619750001147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:16.983211040 CET3619750002147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:16.983303070 CET5000236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:17.015274048 CET5000236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:17.134772062 CET3619750002147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:22.365262032 CET3619750002147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:22.365360022 CET5000236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:27.780750036 CET5000236197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:27.781949997 CET5000336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:27.900901079 CET3619750002147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:27.901797056 CET3619750003147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:27.901964903 CET5000336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:27.919338942 CET5000336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:28.039052010 CET3619750003147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:33.243294001 CET3619750003147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:33.243386984 CET5000336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:34.030664921 CET5000336197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:34.031879902 CET5000436197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:34.150216103 CET3619750003147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:34.151345015 CET3619750004147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:34.151431084 CET5000436197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:34.166912079 CET5000436197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:34.286556005 CET3619750004147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:39.500932932 CET3619750004147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:39.501004934 CET5000436197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:41.375586033 CET5000436197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:41.376211882 CET5000536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:41.495644093 CET3619750004147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:41.496148109 CET3619750005147.185.221.24192.168.2.5
                                                          Dec 20, 2024 19:15:41.496314049 CET5000536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:41.508346081 CET5000536197192.168.2.5147.185.221.24
                                                          Dec 20, 2024 19:15:41.628328085 CET3619750005147.185.221.24192.168.2.5

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 20, 2024 19:11:06.036786079 CET5733753192.168.2.51.1.1.1
                                                          Dec 20, 2024 19:11:06.176503897 CET53573371.1.1.1192.168.2.5
                                                          Dec 20, 2024 19:11:27.059854984 CET5740253192.168.2.51.1.1.1
                                                          Dec 20, 2024 19:11:27.333313942 CET53574021.1.1.1192.168.2.5

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Dec 20, 2024 19:11:06.036786079 CET192.168.2.51.1.1.10x16f4Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 19:11:27.059854984 CET192.168.2.51.1.1.10x886eStandard query (0)below-judge.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Dec 20, 2024 19:11:06.176503897 CET1.1.1.1192.168.2.50x16f4No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 19:11:27.333313942 CET1.1.1.1192.168.2.50x886eNo error (0)below-judge.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • ip-api.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.549704208.95.112.1805972C:\Users\user\Desktop\8DiSW8IPEF.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 20, 2024 19:11:06.305644035 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                          Host: ip-api.com
                                                          Connection: Keep-Alive
                                                          Dec 20, 2024 19:11:07.457724094 CET175INHTTP/1.1 200 OK
                                                          Date: Fri, 20 Dec 2024 18:11:07 GMT
                                                          Content-Type: text/plain; charset=utf-8
                                                          Content-Length: 6
                                                          Access-Control-Allow-Origin: *
                                                          X-Ttl: 60
                                                          X-Rl: 44
                                                          Data Raw: 66 61 6c 73 65 0a
                                                          Data Ascii: false


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:13:11:01
                                                          Start date:20/12/2024
                                                          Path:C:\Users\user\Desktop\8DiSW8IPEF.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\8DiSW8IPEF.exe"
                                                          Imagebase:0x750000
                                                          File size:66'560 bytes
                                                          MD5 hash:AD71876F6DFB18657B7EE257084B6C8B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2041416352.0000000000752000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2041416352.0000000000752000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4513957442.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:false

                                                          General

                                                          Target ID:2
                                                          Start time:13:11:06
                                                          Start date:20/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\8DiSW8IPEF.exe'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:13:11:06
                                                          Start date:20/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:13:11:13
                                                          Start date:20/12/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '8DiSW8IPEF.exe'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:13:11:13
                                                          Start date:20/12/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:20.2%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:21.4%
                                                            Total number of Nodes:14
                                                            Total number of Limit Nodes:1

                                                            Executed Functions

                                                            Function 00007FF848F26DE1 Relevance: 1.9, APIs: 1, Instructions: 379COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4535865698.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_8DiSW8IPEF.jbxd
                                                            Similarity
                                                            • API ID: CheckDebuggerPresentRemote
                                                            • String ID:
                                                            • API String ID: 3662101638-0
                                                            • Opcode ID: 4fc25ddbad5efdefabbdf658802635ac83c01e6904b0c1da2152cc87a7852606
                                                            • Instruction ID: c85b6862047923431231446a72723f84a54f872f462f3332ab4d24601167a8d7
                                                            • Opcode Fuzzy Hash: 4fc25ddbad5efdefabbdf658802635ac83c01e6904b0c1da2152cc87a7852606
                                                            • Instruction Fuzzy Hash: 29C1E43090CB8C8FDB55EF28D8457E97BE0FF55311F04426AE849C7192DB79A845CB91
                                                            Function 00007FF848F25836 Relevance: .5, Instructions: 470COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 435 7ff848f25836-7ff848f25843 436 7ff848f2584e-7ff848f25917 435->436 437 7ff848f25845-7ff848f2584d 435->437 442 7ff848f25919-7ff848f25922 436->442 443 7ff848f25983 436->443 437->436 442->443 444 7ff848f25924-7ff848f25930 442->444 445 7ff848f25985-7ff848f259aa 443->445 446 7ff848f25969-7ff848f25981 444->446 447 7ff848f25932-7ff848f25944 444->447 452 7ff848f259ac-7ff848f259b5 445->452 453 7ff848f25a16 445->453 446->445 448 7ff848f25948-7ff848f2595b 447->448 449 7ff848f25946 447->449 448->448 451 7ff848f2595d-7ff848f25965 448->451 449->448 451->446 452->453 455 7ff848f259b7-7ff848f259c3 452->455 454 7ff848f25a18-7ff848f25ac0 453->454 466 7ff848f25b2e 454->466 467 7ff848f25ac2-7ff848f25acc 454->467 456 7ff848f259fc-7ff848f25a14 455->456 457 7ff848f259c5-7ff848f259d7 455->457 456->454 459 7ff848f259d9 457->459 460 7ff848f259db-7ff848f259ee 457->460 459->460 460->460 461 7ff848f259f0-7ff848f259f8 460->461 461->456 468 7ff848f25b30-7ff848f25b59 466->468 467->466 469 7ff848f25ace-7ff848f25adb 467->469 476 7ff848f25b5b-7ff848f25b66 468->476 477 7ff848f25bc3 468->477 470 7ff848f25add-7ff848f25aef 469->470 471 7ff848f25b14-7ff848f25b2c 469->471 472 7ff848f25af1 470->472 473 7ff848f25af3-7ff848f25b06 470->473 471->468 472->473 473->473 475 7ff848f25b08-7ff848f25b10 473->475 475->471 476->477 479 7ff848f25b68-7ff848f25b76 476->479 478 7ff848f25bc5-7ff848f25c56 477->478 487 7ff848f25c5c-7ff848f25c6b 478->487 480 7ff848f25b78-7ff848f25b8a 479->480 481 7ff848f25baf-7ff848f25bc1 479->481 483 7ff848f25b8c 480->483 484 7ff848f25b8e-7ff848f25ba1 480->484 481->478 483->484 484->484 485 7ff848f25ba3-7ff848f25bab 484->485 485->481 488 7ff848f25c6d 487->488 489 7ff848f25c73-7ff848f25cd8 call 7ff848f25cf4 487->489 488->489 497 7ff848f25cda 489->497 498 7ff848f25cdf-7ff848f25cf2 489->498 497->498
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4535865698.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_8DiSW8IPEF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f8f85b10a3325a65aea00c3b0decdb3cfd08477ef8264b97eda187b73d46f07f
                                                            • Instruction ID: 0ff551990b32a43f606758cf2401a217eea99f63d1acc4b9b4858781bf6fb2ee
                                                            • Opcode Fuzzy Hash: f8f85b10a3325a65aea00c3b0decdb3cfd08477ef8264b97eda187b73d46f07f
                                                            • Instruction Fuzzy Hash: 02F1B43091CA8D8FEBA8EF28D8557E937D1FF58350F04426AD84DC72D5DB35A9448B82
                                                            Function 00007FF848F265E2 Relevance: .5, Instructions: 456COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 499 7ff848f265e2-7ff848f265ef 500 7ff848f265fa-7ff848f266c7 499->500 501 7ff848f265f1-7ff848f265f9 499->501 506 7ff848f266c9-7ff848f266d2 500->506 507 7ff848f26733 500->507 501->500 506->507 508 7ff848f266d4-7ff848f266e0 506->508 509 7ff848f26735-7ff848f2675a 507->509 510 7ff848f26719-7ff848f26731 508->510 511 7ff848f266e2-7ff848f266f4 508->511 516 7ff848f2675c-7ff848f26765 509->516 517 7ff848f267c6 509->517 510->509 512 7ff848f266f8-7ff848f2670b 511->512 513 7ff848f266f6 511->513 512->512 515 7ff848f2670d-7ff848f26715 512->515 513->512 515->510 516->517 518 7ff848f26767-7ff848f26773 516->518 519 7ff848f267c8-7ff848f267ed 517->519 520 7ff848f267ac-7ff848f267c4 518->520 521 7ff848f26775-7ff848f26787 518->521 526 7ff848f2685b 519->526 527 7ff848f267ef-7ff848f267f9 519->527 520->519 522 7ff848f26789 521->522 523 7ff848f2678b-7ff848f2679e 521->523 522->523 523->523 525 7ff848f267a0-7ff848f267a8 523->525 525->520 528 7ff848f2685d-7ff848f2688b 526->528 527->526 529 7ff848f267fb-7ff848f26808 527->529 535 7ff848f268fb 528->535 536 7ff848f2688d-7ff848f26898 528->536 530 7ff848f2680a-7ff848f2681c 529->530 531 7ff848f26841-7ff848f26859 529->531 533 7ff848f2681e 530->533 534 7ff848f26820-7ff848f26833 530->534 531->528 533->534 534->534 537 7ff848f26835-7ff848f2683d 534->537 539 7ff848f268fd-7ff848f269d5 535->539 536->535 538 7ff848f2689a-7ff848f268a8 536->538 537->531 540 7ff848f268aa-7ff848f268bc 538->540 541 7ff848f268e1-7ff848f268f9 538->541 549 7ff848f269db-7ff848f269ea 539->549 542 7ff848f268be 540->542 543 7ff848f268c0-7ff848f268d3 540->543 541->539 542->543 543->543 546 7ff848f268d5-7ff848f268dd 543->546 546->541 550 7ff848f269ec 549->550 551 7ff848f269f2-7ff848f26a54 call 7ff848f26a70 549->551 550->551 559 7ff848f26a5b-7ff848f26a6e 551->559 560 7ff848f26a56 551->560 560->559
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4535865698.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_8DiSW8IPEF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 836e3ca69e7292f2cd7b7c3b57f59229a9f75116552470fde79e9757785de707
                                                            • Instruction ID: 219d996ce5fd995454acc04345f8421383cdc3171e97a912dbf008afcead4804
                                                            • Opcode Fuzzy Hash: 836e3ca69e7292f2cd7b7c3b57f59229a9f75116552470fde79e9757785de707
                                                            • Instruction Fuzzy Hash: 0BE1A13090CA8E8FEBA8EF28D8557E93BD1EF54350F14426ED84DC7291DF79A8448B81
                                                            Function 00007FF848F216F1 Relevance: .4, Instructions: 388COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4535865698.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_8DiSW8IPEF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0b588d1bbdfc9776ec6b7c08116b86ebfe566c4266e811d825b9477f7f4220af
                                                            • Instruction ID: 2a52b56ae19b27dedcf3f854ba4a83d91ea8eebece9dd76432d6f08fb1377f6d
                                                            • Opcode Fuzzy Hash: 0b588d1bbdfc9776ec6b7c08116b86ebfe566c4266e811d825b9477f7f4220af
                                                            • Instruction Fuzzy Hash: 83C1B130F1D94A9FEB88FB68945567977D2FF99380F04417AD04EC32D2DF29A8428749
                                                            Function 00007FF848F2897D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4535865698.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_8DiSW8IPEF.jbxd
                                                            Similarity
                                                            • API ID: CriticalProcess
                                                            • String ID: HbH
                                                            • API String ID: 2695349919-3628727451
                                                            • Opcode ID: 27bcf3ca63b868bc222fd173bc74136c675088011b658743aab6c9bdcc212d30
                                                            • Instruction ID: 34208c093e8e870e222279fb823bdc4d24e5c1156daec669207a5c12d5fe5273
                                                            • Opcode Fuzzy Hash: 27bcf3ca63b868bc222fd173bc74136c675088011b658743aab6c9bdcc212d30
                                                            • Instruction Fuzzy Hash: 5971103190CA4D8FD718EF68D8596EA7BF0FF55310F04426ED08AC3692DB39A846CB91
                                                            Function 00007FF848F28E91 Relevance: 1.8, APIs: 1, Instructions: 262COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4535865698.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_8DiSW8IPEF.jbxd
                                                            Similarity
                                                            • API ID: HookWindows
                                                            • String ID:
                                                            • API String ID: 2559412058-0
                                                            • Opcode ID: cb9f847365a5152c7c3af627beb073fc9670e8a1df386f0c15b6e6f19295242f
                                                            • Instruction ID: f0630dfedf7b5dd6eb21855f28cc8ba926208ff85587703de2ebb1e08d388bfa
                                                            • Opcode Fuzzy Hash: cb9f847365a5152c7c3af627beb073fc9670e8a1df386f0c15b6e6f19295242f
                                                            • Instruction Fuzzy Hash: F771023190CA5C9FDB58EB68D84A6F9BBE1EF55321F00426FD009C3692CB75A846CB91
                                                            Function 00007FF848F282B2 Relevance: 1.7, APIs: 1, Instructions: 239COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4535865698.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_8DiSW8IPEF.jbxd
                                                            Similarity
                                                            • API ID: HookWindows
                                                            • String ID:
                                                            • API String ID: 2559412058-0
                                                            • Opcode ID: 02cbfdd1b4519b03f64242330e6fcc8cececf293bc53389b499a91679f6d5265
                                                            • Instruction ID: 16564fc86ab3a8049fddfa8a5be4b60ac9f4482dbb0b8705c2e4c52001f294e6
                                                            • Opcode Fuzzy Hash: 02cbfdd1b4519b03f64242330e6fcc8cececf293bc53389b499a91679f6d5265
                                                            • Instruction Fuzzy Hash: 5061D23190CA5C9FDB58EB6CD8496F9BBE1EF59321F00423ED009D3692CB75A846CB91
                                                            Function 00007FF848F28222 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 114 7ff848f28222-7ff848f28ada 117 7ff848f28ae2-7ff848f28b40 RtlSetProcessIsCritical 114->117 118 7ff848f28b48-7ff848f28b7d 117->118 119 7ff848f28b42 117->119 119->118
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4535865698.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_8DiSW8IPEF.jbxd
                                                            Similarity
                                                            • API ID: CriticalProcess
                                                            • String ID:
                                                            • API String ID: 2695349919-0
                                                            • Opcode ID: 4bbc0f142580aa4448c0d4d2ca1ecb093635b51879b560b47846aa9445dd1450
                                                            • Instruction ID: 3c49694579960e60fae262cea2d8926e03bfaaecfb9f0ad8905be56b8404a91c
                                                            • Opcode Fuzzy Hash: 4bbc0f142580aa4448c0d4d2ca1ecb093635b51879b560b47846aa9445dd1450
                                                            • Instruction Fuzzy Hash: 0D31C27190CA188FDB28EB98D845BF9BBE0FF55311F14412EE09AD3682CB7568468B91
                                                            Function 00007FF848F282C2 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 121 7ff848f282c2-7ff848f2900d 125 7ff848f29099-7ff848f2909d 121->125 126 7ff848f29013-7ff848f29018 121->126 127 7ff848f29022-7ff848f2905f SetWindowsHookExW 125->127 128 7ff848f2901f-7ff848f29020 126->128 129 7ff848f29061 127->129 130 7ff848f29067-7ff848f29098 127->130 128->127 129->130
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4535865698.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_8DiSW8IPEF.jbxd
                                                            Similarity
                                                            • API ID: HookWindows
                                                            • String ID:
                                                            • API String ID: 2559412058-0
                                                            • Opcode ID: 9159733906e165808f4d440122d97b6dc510fab2c5b19b67bfbc4deb423a4582
                                                            • Instruction ID: 943e620b4c711b81689f979b8d750d03d6f93ea044e3507e0848d6e6e6cdac68
                                                            • Opcode Fuzzy Hash: 9159733906e165808f4d440122d97b6dc510fab2c5b19b67bfbc4deb423a4582
                                                            • Instruction Fuzzy Hash: D131A530A1CA1C5FDB58EB5CD84A6B977E1EB99321F00423ED049D3691CB65A8528B85

                                                            Non-executed Functions

                                                            Function 00007FF848F2352D Relevance: .4, Instructions: 371COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4535865698.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_8DiSW8IPEF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c0e78813730dde37ccc6bbd08f34245aa0018cb9217a6fbfb23f7fce13f4668
                                                            • Instruction ID: b3df4ef4bfbe5182ea1ddc59e1a590f096fb0d542d3f47a929fb6ea8bf07ea0e
                                                            • Opcode Fuzzy Hash: 1c0e78813730dde37ccc6bbd08f34245aa0018cb9217a6fbfb23f7fce13f4668
                                                            • Instruction Fuzzy Hash: 12C1DE3090DA4C8FDB59EB6898457E9BBB1FF55310F0442AED04DD3292DF746985CB82
                                                            Function 00007FF848F25035 Relevance: .3, Instructions: 322COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4535865698.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848f20000_8DiSW8IPEF.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 668391298a1ad7c2bce6fa5d8704d6cfe565f5a9019eb7f5b054a6e75f7bb61f
                                                            • Instruction ID: 72682843a53de53aada77d291f44789f68625eca05eb4ad4ae550dcd2abee752
                                                            • Opcode Fuzzy Hash: 668391298a1ad7c2bce6fa5d8704d6cfe565f5a9019eb7f5b054a6e75f7bb61f
                                                            • Instruction Fuzzy Hash: 9B91023090D74C8FDB59EBA898496E9BBF1FF56320F0442AED049D3292CF796845CB91

                                                            Executed Functions

                                                            Function 00007FF848FD660A Relevance: 6.7, Strings: 5, Instructions: 461COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2159853521.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (B"I$(B"I$(B"I$(B"I$(B"I
                                                            • API String ID: 0-3570690463
                                                            • Opcode ID: c28abb6ca4133c41a4089f613f6bf1eee21609edf047ba921cbe00f65e6b9e44
                                                            • Instruction ID: dd321d527f340bdaf2127f7b48f8ce7f843b664c349c2a24ebe2a2b5da8f03cf
                                                            • Opcode Fuzzy Hash: c28abb6ca4133c41a4089f613f6bf1eee21609edf047ba921cbe00f65e6b9e44
                                                            • Instruction Fuzzy Hash: 07D14131E0EA8A5FEB99EB2858145B57BE1EF15390F1801BAD10ECB0D3EB1CA805C795
                                                            Function 00007FF848FD4073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2159853521.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 8>"I
                                                            • API String ID: 0-2459728092
                                                            • Opcode ID: 1adb32513925e4d9112de582261411984d2ebe372d88f19ea5c04e6264e3cb7c
                                                            • Instruction ID: 2d6d9b821ca418bfbed046d32ad2bde82460911ce2b283c6e00d8aa5fab3bdd7
                                                            • Opcode Fuzzy Hash: 1adb32513925e4d9112de582261411984d2ebe372d88f19ea5c04e6264e3cb7c
                                                            • Instruction Fuzzy Hash: 5E510432E0DA4A4FE79AEB2C94116B577E2FF65260F1801BAC25EC71D2DF18EC058749
                                                            Function 00007FF848FD40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2159853521.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 8>"I
                                                            • API String ID: 0-2459728092
                                                            • Opcode ID: 5823892f5f54edd921bde3ad92e33a3ed1167dbf5ae1cb9896134cb03b5cbeef
                                                            • Instruction ID: a823a35cf913f75ab8ef4870b228908f7eff6994f1e701736514c3259c68e70f
                                                            • Opcode Fuzzy Hash: 5823892f5f54edd921bde3ad92e33a3ed1167dbf5ae1cb9896134cb03b5cbeef
                                                            • Instruction Fuzzy Hash: 7121A032E0D98B4FE7AAEB18945517466E2FF74290F4911B9C25EC71E2CF18EC048B49
                                                            Function 00007FF848F0A042 Relevance: .3, Instructions: 303COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2159394313.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9f3b6862ea9cf5d345b06a7c300c836a771d230f55e0d8ad097e2bf6d15543cd
                                                            • Instruction ID: 51c53e28fbe0cdf0fc4e3afa01ae91b17f6e637308e9e4c454ee682392cf41c6
                                                            • Opcode Fuzzy Hash: 9f3b6862ea9cf5d345b06a7c300c836a771d230f55e0d8ad097e2bf6d15543cd
                                                            • Instruction Fuzzy Hash: 8431A33280E6C59FD742AB6C58A60E57FB0EF53259B0D01F7C088CE0A3EE1C58598796
                                                            Function 00007FF848F09758 Relevance: .1, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2159394313.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9b49e4ddce65e17b1d4c89e18d049c26901a372101e17a5c609f6830c0d762f3
                                                            • Instruction ID: 92343b2bdd451c8bf986e40c5a25c990ac030de17fe084fd8a89e91e6998f42d
                                                            • Opcode Fuzzy Hash: 9b49e4ddce65e17b1d4c89e18d049c26901a372101e17a5c609f6830c0d762f3
                                                            • Instruction Fuzzy Hash: 3731D531A1CF489FDB5C9F5CA8466B97BE0FB99710F00412FE44993692DB30A856CBC6
                                                            Function 00007FF848DEE620 Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2158956790.00007FF848DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff848ded000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22e041fde1050c37987fd16e40256dfa78dc384c4fa1c24cb795136d9c2ae974
                                                            • Instruction ID: 3230988d659d259c19ddc0642142406711170ed729cdd0a199fff086a3afbd31
                                                            • Opcode Fuzzy Hash: 22e041fde1050c37987fd16e40256dfa78dc384c4fa1c24cb795136d9c2ae974
                                                            • Instruction Fuzzy Hash: 6941F87180EBC44FE7569B399845A623FF0EF56360F1505EFD088CB1A3D729A84AC792
                                                            Function 00007FF848F0A62C Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2159394313.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 12574dda88cc747849ed00d7a415ba2cc23d1c564676ef9864778e2bb5393ca5
                                                            • Instruction ID: 3cdf68d831d7dff9074ef8ab706983cf17dbe5a7b474757c1361f74f003de3f8
                                                            • Opcode Fuzzy Hash: 12574dda88cc747849ed00d7a415ba2cc23d1c564676ef9864778e2bb5393ca5
                                                            • Instruction Fuzzy Hash: E521387080D7884FEB09CB689C4AAF97FF4EF53320F04419AD445DB1A3DA785846CB61
                                                            Function 00007FF848F033B5 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2159394313.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                                                            • Instruction ID: 7751a646eaf869edea33559e4a2383cdbafb38eb3a9baaa8760fd3dac5d19060
                                                            • Opcode Fuzzy Hash: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                                                            • Instruction Fuzzy Hash: DE01677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3695DB36E882CB45
                                                            Function 00007FF848FD4400 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2159853521.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 120112b9f4fc477d9e06ee2babaabad259c29e6365255addcf8dea0b7d06903a
                                                            • Instruction ID: 6839377841f79c3052363ed54d48793ca63cc21a80e138c0e297e57fbdaf75d0
                                                            • Opcode Fuzzy Hash: 120112b9f4fc477d9e06ee2babaabad259c29e6365255addcf8dea0b7d06903a
                                                            • Instruction Fuzzy Hash: 18F0BE31A0C5448FD754EB0CE4458A8B3E0FF05320F0500B6E14AC70A3DB25ACA48B54

                                                            Non-executed Functions

                                                            Function 00007FF848F08BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2159394313.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: O_^4$O_^7$O_^F$O_^J
                                                            • API String ID: 0-875994666
                                                            • Opcode ID: afb7aef26a733c1ec8a94d43621df130ef9c76a189540df7c29b51cd940d3ecf
                                                            • Instruction ID: 8bd8163f0f9ae516a15f916a4231b8f7fb71d175f1a7c6e4fa1c9a0ae69dd810
                                                            • Opcode Fuzzy Hash: afb7aef26a733c1ec8a94d43621df130ef9c76a189540df7c29b51cd940d3ecf
                                                            • Instruction Fuzzy Hash: E521297762A025DED3417B7DB8045DA3750DFD427AB4502B2D19E8F243EA1C708686E4

                                                            Executed Functions

                                                            Function 00007FF848FF6605 Relevance: 6.7, Strings: 5, Instructions: 431COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2277984471.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (B#I$(B#I$(B#I$(B#I$(B#I
                                                            • API String ID: 0-1620291718
                                                            • Opcode ID: 45de918920eb23bbeea95984dd57f2f3e4a702d6adbbd1f5351edc3260f64e79
                                                            • Instruction ID: 7a13e4da9a67f872ff197d49de3da389a2e0aadd5d676a91d2a22af71da0c4de
                                                            • Opcode Fuzzy Hash: 45de918920eb23bbeea95984dd57f2f3e4a702d6adbbd1f5351edc3260f64e79
                                                            • Instruction Fuzzy Hash: C3C13131D0EA8A5FEB99AB2858145B5BBA1EF1A390F1801FFD54DCB0D3EE1CA805C355
                                                            Function 00007FF848E0E700 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2275809351.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848e0d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: q>}G
                                                            • API String ID: 0-2921006071
                                                            • Opcode ID: 30b14e9013e150b500ec0136ea1fc5a78586ebcf0b1943c6f3d8f30bb461e1ff
                                                            • Instruction ID: 130e25de52fb9974bd5d95d070deef438dadbd1fad015d45c754a963db04b115
                                                            • Opcode Fuzzy Hash: 30b14e9013e150b500ec0136ea1fc5a78586ebcf0b1943c6f3d8f30bb461e1ff
                                                            • Instruction Fuzzy Hash: 4441127080DBC04FE7569B289855A523FF0FF57260B0905EFD488CB1A3E629A846C7A2
                                                            Function 00007FF848F29780 Relevance: .1, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2277021598.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2dae65b0a635d967213072b502cd37f200167da8589d8f1f76f61ad9e3fd7b06
                                                            • Instruction ID: 07048a1f3197adaa2aa7557e0a07b5da4eab2e423e2177f7fdbefcd9d2edecac
                                                            • Opcode Fuzzy Hash: 2dae65b0a635d967213072b502cd37f200167da8589d8f1f76f61ad9e3fd7b06
                                                            • Instruction Fuzzy Hash: 9531093191CB888FEB199F1CAC066E97BE0FB55711F00426FE049D3292CA71A855CBC2
                                                            Function 00007FF848F2A49C Relevance: .1, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2277021598.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 27f2fe8214b0e631940d67140e40b2bee435dc086f0b167ff7bbcfa3db0189e8
                                                            • Instruction ID: c0cfdc4a31671cb45098be5db71b6c5f1bbf5d2c3364595eb6c4e89ac0d2ddb6
                                                            • Opcode Fuzzy Hash: 27f2fe8214b0e631940d67140e40b2bee435dc086f0b167ff7bbcfa3db0189e8
                                                            • Instruction Fuzzy Hash: 2821093190C74C4FDB59DBAC984A7E97BE0EB56321F04416BD048C3192DA75A855CB91
                                                            Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2277021598.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                            • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                            • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46
                                                            Function 00007FF848F2A0FB Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2277021598.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d5060b26c9c4196595c55bbb1af58388a76ba94fab78e063f33aaeb1c8b29e73
                                                            • Instruction ID: c6c16936e490efe25eecf06de6b4f23a96065ebdd4b270ba7e81a0e70785ea81
                                                            • Opcode Fuzzy Hash: d5060b26c9c4196595c55bbb1af58388a76ba94fab78e063f33aaeb1c8b29e73
                                                            • Instruction Fuzzy Hash: CFF0F63650DACC4FDB82EF2CA8690E8BF90FF66215B0402EBD448C7161EB224948CB81
                                                            Function 00007FF848FF414D Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2277984471.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6d82cbbbbd25350d8bc705f617a707a25a9cc2f5e89769c505d7f688b3a86633
                                                            • Instruction ID: 66ae661fbd5a3be87ccc885ff1bf18edd84fe351c4df1a48fc64353aaa19cdb4
                                                            • Opcode Fuzzy Hash: 6d82cbbbbd25350d8bc705f617a707a25a9cc2f5e89769c505d7f688b3a86633
                                                            • Instruction Fuzzy Hash: 37F09A32A0C5058FD759EB0CE4058A8B3E0FF64361B1500BBE11DC71A3DB26EC418799
                                                            Function 00007FF848FF4400 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2277984471.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5c8885af5ad30cc68deb735873986eb40f25afbd64c92ebd2db2fa86ab8b5466
                                                            • Instruction ID: e8c0c94e737dee8a32600f0352ba9475bdf1e36c7121b1e40418ddeb0fe4b33d
                                                            • Opcode Fuzzy Hash: 5c8885af5ad30cc68deb735873986eb40f25afbd64c92ebd2db2fa86ab8b5466
                                                            • Instruction Fuzzy Hash: 88F0B832A0C5448FD758EB0CE4458A8B3E0FF04321F0500BBE209EB1A3DB2AAC608764
                                                            Function 00007FF848FF41D1 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2277984471.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                            • Instruction ID: d769517fa595beb740091979c284fb2f197ba556f1da16d26ccdbdaf57273a59
                                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                            • Instruction Fuzzy Hash: 76E0123170C4048FD669EB0CE0409A973E1FBA8361B1101B7E24EC7561C721EC518B84

                                                            Non-executed Functions

                                                            Function 00007FF848F28BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2277021598.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                            • API String ID: 0-962139525
                                                            • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                            • Instruction ID: 7fd3566e5afb083c6e6401c0847751e720ad71e5f9896b647dd2248b4652e339
                                                            • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                            • Instruction Fuzzy Hash: FD21D473A29525DAD242366CB8419DD7790EF543B978603F3E028CF193EE1CA48B8A95