Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
L988Ph5sKX.exe

Overview

General Information

Sample name:L988Ph5sKX.exe
renamed because original name is a hash value
Original sample name:5c6f9ad1a92365495fc5bf4dae87dd8d01c98850ddbbeec9e2c458252a030fef.exe
Analysis ID:1583092
MD5:98219390b2a78d205ee6fd761b7f5f93
SHA1:4d616c0683dcf2edfac9aba4babb0d05287b0b1c
SHA256:5c6f9ad1a92365495fc5bf4dae87dd8d01c98850ddbbeec9e2c458252a030fef
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • L988Ph5sKX.exe (PID: 6520 cmdline: "C:\Users\user\Desktop\L988Ph5sKX.exe" MD5: 98219390B2A78D205EE6FD761B7F5F93)
    • powershell.exe (PID: 3872 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'L988Ph5sKX.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system log' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6428 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system log" /tr "C:\Users\user\AppData\Local\Temp\system log" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • system log (PID: 6596 cmdline: "C:\Users\user\AppData\Local\Temp\system log" MD5: 98219390B2A78D205EE6FD761B7F5F93)
  • OpenWith.exe (PID: 1540 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • svchost.exe (PID: 6332 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • OpenWith.exe (PID: 6392 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["147.185.221.24"], "Port": 55161, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
L988Ph5sKX.exeJoeSecurity_XWormYara detected XWormJoe Security
    L988Ph5sKX.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      L988Ph5sKX.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xd3ca:$str01: $VB$Local_Port
      • 0xd3f7:$str02: $VB$Local_Host
      • 0xb5f8:$str03: get_Jpeg
      • 0xbdf6:$str04: get_ServicePack
      • 0xec0d:$str05: Select * from AntivirusProduct
      • 0xf265:$str06: PCRestart
      • 0xf279:$str07: shutdown.exe /f /r /t 0
      • 0xf32b:$str08: StopReport
      • 0xf301:$str09: StopDDos
      • 0xf3f7:$str10: sendPlugin
      • 0xf577:$str12: -ExecutionPolicy Bypass -File "
      • 0xf94e:$str13: Content-length: 5235
      L988Ph5sKX.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xe6f5:$s6: VirtualBox
      • 0xe653:$s8: Win32_ComputerSystem
      • 0x100cb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x10168:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1027d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xf869:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\system logJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Local\Temp\system logJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\Temp\system lograt_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0xd3ca:$str01: $VB$Local_Port
          • 0xd3f7:$str02: $VB$Local_Host
          • 0xb5f8:$str03: get_Jpeg
          • 0xbdf6:$str04: get_ServicePack
          • 0xec0d:$str05: Select * from AntivirusProduct
          • 0xf265:$str06: PCRestart
          • 0xf279:$str07: shutdown.exe /f /r /t 0
          • 0xf32b:$str08: StopReport
          • 0xf301:$str09: StopDDos
          • 0xf3f7:$str10: sendPlugin
          • 0xf577:$str12: -ExecutionPolicy Bypass -File "
          • 0xf94e:$str13: Content-length: 5235
          C:\Users\user\AppData\Local\Temp\system logMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xe6f5:$s6: VirtualBox
          • 0xe653:$s8: Win32_ComputerSystem
          • 0x100cb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x10168:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1027d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xf869:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.2086421489.0000000000B12000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.2086421489.0000000000B12000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xe4f5:$s6: VirtualBox
            • 0xe453:$s8: Win32_ComputerSystem
            • 0xfecb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xff68:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x1007d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xf669:$cnc4: POST / HTTP/1.1
            00000000.00000002.3352894957.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Process Memory Space: L988Ph5sKX.exe PID: 6520JoeSecurity_XWormYara detected XWormJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.L988Ph5sKX.exe.b10000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.L988Ph5sKX.exe.b10000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.L988Ph5sKX.exe.b10000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                    • 0xd3ca:$str01: $VB$Local_Port
                    • 0xd3f7:$str02: $VB$Local_Host
                    • 0xb5f8:$str03: get_Jpeg
                    • 0xbdf6:$str04: get_ServicePack
                    • 0xec0d:$str05: Select * from AntivirusProduct
                    • 0xf265:$str06: PCRestart
                    • 0xf279:$str07: shutdown.exe /f /r /t 0
                    • 0xf32b:$str08: StopReport
                    • 0xf301:$str09: StopDDos
                    • 0xf3f7:$str10: sendPlugin
                    • 0xf577:$str12: -ExecutionPolicy Bypass -File "
                    • 0xf94e:$str13: Content-length: 5235
                    0.0.L988Ph5sKX.exe.b10000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xe6f5:$s6: VirtualBox
                    • 0xe653:$s8: Win32_ComputerSystem
                    • 0x100cb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x10168:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x1027d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xf869:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: New RUN Key Pointing to Suspicious Folder
                    Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\system log, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\L988Ph5sKX.exe, ProcessId: 6520, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system log
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\L988Ph5sKX.exe", ParentImage: C:\Users\user\Desktop\L988Ph5sKX.exe, ParentProcessId: 6520, ParentProcessName: L988Ph5sKX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe', ProcessId: 3872, ProcessName: powershell.exe
                    Sigma detected: Script Interpreter Execution From Suspicious Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\L988Ph5sKX.exe", ParentImage: C:\Users\user\Desktop\L988Ph5sKX.exe, ParentProcessId: 6520, ParentProcessName: L988Ph5sKX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log', ProcessId: 4948, ProcessName: powershell.exe
                    Sigma detected: Suspicious Script Execution From Temp Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\L988Ph5sKX.exe", ParentImage: C:\Users\user\Desktop\L988Ph5sKX.exe, ParentProcessId: 6520, ParentProcessName: L988Ph5sKX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log', ProcessId: 4948, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\L988Ph5sKX.exe", ParentImage: C:\Users\user\Desktop\L988Ph5sKX.exe, ParentProcessId: 6520, ParentProcessName: L988Ph5sKX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe', ProcessId: 3872, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\system log, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\L988Ph5sKX.exe, ProcessId: 6520, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system log
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\system log", CommandLine: "C:\Users\user\AppData\Local\Temp\system log", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\system log, NewProcessName: C:\Users\user\AppData\Local\Temp\system log, OriginalFileName: C:\Users\user\AppData\Local\Temp\system log, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\system log", ProcessId: 6596, ProcessName: system log
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\L988Ph5sKX.exe", ParentImage: C:\Users\user\Desktop\L988Ph5sKX.exe, ParentProcessId: 6520, ParentProcessName: L988Ph5sKX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe', ProcessId: 3872, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\L988Ph5sKX.exe, ProcessId: 6520, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system log.lnk
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system log" /tr "C:\Users\user\AppData\Local\Temp\system log", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system log" /tr "C:\Users\user\AppData\Local\Temp\system log", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\L988Ph5sKX.exe", ParentImage: C:\Users\user\Desktop\L988Ph5sKX.exe, ParentProcessId: 6520, ParentProcessName: L988Ph5sKX.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system log" /tr "C:\Users\user\AppData\Local\Temp\system log", ProcessId: 6428, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\L988Ph5sKX.exe", ParentImage: C:\Users\user\Desktop\L988Ph5sKX.exe, ParentProcessId: 6520, ParentProcessName: L988Ph5sKX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe', ProcessId: 3872, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6332, ProcessName: svchost.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T22:00:13.863715+010028559241Malware Command and Control Activity Detected192.168.2.649974147.185.221.2455161TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: L988Ph5sKX.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\system logAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: L988Ph5sKX.exeMalware Configuration Extractor: Xworm {"C2 url": ["147.185.221.24"], "Port": 55161, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\system logReversingLabs: Detection: 81%
                    Multi AV Scanner detection for submitted file
                    Source: L988Ph5sKX.exeVirustotal: Detection: 68%Perma Link
                    Source: L988Ph5sKX.exeReversingLabs: Detection: 81%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\system logJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: L988Ph5sKX.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: L988Ph5sKX.exeString decryptor: 147.185.221.24
                    Source: L988Ph5sKX.exeString decryptor: 55161
                    Source: L988Ph5sKX.exeString decryptor: <123456789>
                    Source: L988Ph5sKX.exeString decryptor: <Xwormmm>
                    Source: L988Ph5sKX.exeString decryptor: lolololol
                    Source: L988Ph5sKX.exeString decryptor: USB.exe
                    Source: L988Ph5sKX.exeString decryptor: %Temp%
                    Source: L988Ph5sKX.exeString decryptor: system log
                    Source: L988Ph5sKX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: L988Ph5sKX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49974 -> 147.185.221.24:55161
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 147.185.221.24
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: L988Ph5sKX.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.L988Ph5sKX.exe.b10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\system log, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.6:49974 -> 147.185.221.24:55161
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.24
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: powershell.exe, 0000000A.00000002.2515332922.0000021C65BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: svchost.exe, 00000013.00000002.3349955530.0000018AE2E61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                    Source: qmgr.db.19.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: powershell.exe, 00000005.00000002.2240784619.000002A3AC819000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
                    Source: powershell.exe, 00000005.00000002.2240784619.000002A3AC819000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.ctain
                    Source: L988Ph5sKX.exe, system log.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000002.00000002.2192164850.000001809006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2318244695.000002A3BE36F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2492215405.0000021C5D27F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2703011351.00000222B391E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000D.00000002.2554378115.00000222A3ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000002.00000002.2172364854.0000018080229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2242788972.000002A3AE529000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2373077922.0000021C4D43A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2554378115.00000222A3ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: L988Ph5sKX.exe, 00000000.00000002.3352894957.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2172364854.0000018080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2242788972.000002A3AE301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2373077922.0000021C4D211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2554378115.00000222A38B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000002.00000002.2172364854.0000018080229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2242788972.000002A3AE529000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2373077922.0000021C4D43A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2554378115.00000222A3ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000D.00000002.2554378115.00000222A3ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000002.00000002.2207161585.00000180EAA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                    Source: powershell.exe, 00000005.00000002.2339854356.000002A3C6966000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 00000005.00000002.2341378075.000002A3C6ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coj
                    Source: powershell.exe, 00000005.00000002.2341378075.000002A3C6ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cojj
                    Source: powershell.exe, 0000000D.00000002.2735411383.00000222BBDD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co~
                    Source: powershell.exe, 00000002.00000002.2172364854.0000018080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2242788972.000002A3AE301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2373077922.0000021C4D211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2554378115.00000222A38B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000000D.00000002.2703011351.00000222B391E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000D.00000002.2703011351.00000222B391E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000D.00000002.2703011351.00000222B391E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: qmgr.db.19.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                    Source: svchost.exe, 00000013.00000003.2891978247.0000018AE2C90000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                    Source: powershell.exe, 0000000D.00000002.2554378115.00000222A3ADA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000002.00000002.2192164850.000001809006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2318244695.000002A3BE36F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2492215405.0000021C5D27F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2703011351.00000222B391E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: L988Ph5sKX.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: L988Ph5sKX.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.L988Ph5sKX.exe.b10000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 0.0.L988Ph5sKX.exe.b10000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.2086421489.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\system log, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: C:\Users\user\AppData\Local\Temp\system log, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeCode function: 0_2_00007FFD3489108D0_2_00007FFD3489108D
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeCode function: 0_2_00007FFD348960C60_2_00007FFD348960C6
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeCode function: 0_2_00007FFD348917190_2_00007FFD34891719
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeCode function: 0_2_00007FFD34896E720_2_00007FFD34896E72
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeCode function: 0_2_00007FFD348920F10_2_00007FFD348920F1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34898E2C2_2_00007FFD34898E2C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3489BC4A2_2_00007FFD3489BC4A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD349630E92_2_00007FFD349630E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3496333A2_2_00007FFD3496333A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34898EFA5_2_00007FFD34898EFA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3489BBFB5_2_00007FFD3489BBFB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD348A8E0510_2_00007FFD348A8E05
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD348A8F4A10_2_00007FFD348A8F4A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3488B9FA13_2_00007FFD3488B9FA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD34888F2A13_2_00007FFD34888F2A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3488BBFB13_2_00007FFD3488BBFB
                    Source: C:\Users\user\AppData\Local\Temp\system logCode function: 17_2_00007FFD348B171917_2_00007FFD348B1719
                    Source: C:\Users\user\AppData\Local\Temp\system logCode function: 17_2_00007FFD348B20F117_2_00007FFD348B20F1
                    Source: C:\Users\user\AppData\Local\Temp\system logCode function: 17_2_00007FFD348B103817_2_00007FFD348B1038
                    Source: L988Ph5sKX.exe, 00000000.00000000.2086421489.0000000000B12000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAWPKeyGenCrackedexe.exe4 vs L988Ph5sKX.exe
                    Source: L988Ph5sKX.exeBinary or memory string: OriginalFilenameAWPKeyGenCrackedexe.exe4 vs L988Ph5sKX.exe
                    Source: L988Ph5sKX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: L988Ph5sKX.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: L988Ph5sKX.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.L988Ph5sKX.exe.b10000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 0.0.L988Ph5sKX.exe.b10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.2086421489.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Local\Temp\system log, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: C:\Users\user\AppData\Local\Temp\system log, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: L988Ph5sKX.exe, yLSIczQphzrs8l81g4f4mVaZzjMIk5gEctqYJumesfapQLgT4owaAQD8RVQuaJquOWWEM9zSeh0gM.csCryptographic APIs: 'TransformFinalBlock'
                    Source: L988Ph5sKX.exe, OdMR5s2zARJsUFE3rmqIGGkcVOmmbrjimdDCchuLiZzYkWfQdr3V8rnuhLfIQ1BHzXr6gqO4sFl8k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: L988Ph5sKX.exe, OdMR5s2zARJsUFE3rmqIGGkcVOmmbrjimdDCchuLiZzYkWfQdr3V8rnuhLfIQ1BHzXr6gqO4sFl8k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: system log.0.dr, yLSIczQphzrs8l81g4f4mVaZzjMIk5gEctqYJumesfapQLgT4owaAQD8RVQuaJquOWWEM9zSeh0gM.csCryptographic APIs: 'TransformFinalBlock'
                    Source: system log.0.dr, OdMR5s2zARJsUFE3rmqIGGkcVOmmbrjimdDCchuLiZzYkWfQdr3V8rnuhLfIQ1BHzXr6gqO4sFl8k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: system log.0.dr, OdMR5s2zARJsUFE3rmqIGGkcVOmmbrjimdDCchuLiZzYkWfQdr3V8rnuhLfIQ1BHzXr6gqO4sFl8k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: system log.0.dr, fIuoBvkfRhoFoc63hFISSwtOvfxlM4FJmtpkgoRS5nPx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: system log.0.dr, fIuoBvkfRhoFoc63hFISSwtOvfxlM4FJmtpkgoRS5nPx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: L988Ph5sKX.exe, fIuoBvkfRhoFoc63hFISSwtOvfxlM4FJmtpkgoRS5nPx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: L988Ph5sKX.exe, fIuoBvkfRhoFoc63hFISSwtOvfxlM4FJmtpkgoRS5nPx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@19/25@1/3
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system log.lnkJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
                    Source: C:\Users\user\AppData\Local\Temp\system logMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
                    Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1540:120:WilError_03
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeMutant created: \Sessions\1\BaseNamedObjects\ouHO01mYpcpzvsHf
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeFile created: C:\Users\user\AppData\Local\Temp\system logJump to behavior
                    Source: L988Ph5sKX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: L988Ph5sKX.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: L988Ph5sKX.exeVirustotal: Detection: 68%
                    Source: L988Ph5sKX.exeReversingLabs: Detection: 81%
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeFile read: C:\Users\user\Desktop\L988Ph5sKX.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\L988Ph5sKX.exe "C:\Users\user\Desktop\L988Ph5sKX.exe"
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'L988Ph5sKX.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system log'
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system log" /tr "C:\Users\user\AppData\Local\Temp\system log"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\system log "C:\Users\user\AppData\Local\Temp\system log"
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'L988Ph5sKX.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log'Jump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system log'Jump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system log" /tr "C:\Users\user\AppData\Local\Temp\system log"Jump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Users\user\AppData\Local\Temp\system logSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\Temp\system logSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\system logSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\system logSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\system logSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\system logSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\system logSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\system logSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\system logSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\system logSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\system logSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\system logSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: system log.lnk.0.drLNK file: ..\..\..\..\..\..\Local\Temp\system log
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: L988Ph5sKX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: L988Ph5sKX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: L988Ph5sKX.exe, NiBWdfYOiIaHRwmXtmy4hNkuVvxSKA0B4tuuian5LH09.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{k04EwhChXRwU7O2Ldgq3fb7KYRVjsKBxfzljBEGa5hynwVuNPHEkaYQaXhX._4pe3ednqpLzXVahNLaEZfGzLO7lvkzJpu8df1Rj5OVx4FeZ1MoO9xBYteDG,k04EwhChXRwU7O2Ldgq3fb7KYRVjsKBxfzljBEGa5hynwVuNPHEkaYQaXhX.yQ0vxpEHT5Sl0FmDBKDIKzCOwVylwk6xg7imDBoyprrrkTNM9Ho09kdFyDR,k04EwhChXRwU7O2Ldgq3fb7KYRVjsKBxfzljBEGa5hynwVuNPHEkaYQaXhX.J3hNTMtUsYrVRJVCwUo6Hiv8bXgzJnXIEklBpKLeCfdCX8OvYbCdaZbKYU7,k04EwhChXRwU7O2Ldgq3fb7KYRVjsKBxfzljBEGa5hynwVuNPHEkaYQaXhX._02h3edyrA56Q90SHn3KnIPAwbMX7wFL484qkTLq6ZfrEys8gcKRwy4V2uUv,OdMR5s2zARJsUFE3rmqIGGkcVOmmbrjimdDCchuLiZzYkWfQdr3V8rnuhLfIQ1BHzXr6gqO4sFl8k._4dXl5GEhd0igI7a4ZBM2fNKMecztcsXtAdqUcaCRuE1cmRlrcdp5eh8rWmOxIf()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: L988Ph5sKX.exe, NiBWdfYOiIaHRwmXtmy4hNkuVvxSKA0B4tuuian5LH09.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_53RCF9mhUBrvCmPAj5TC5IrB8Wk1wJsKLRV451JqEXGA[2],OdMR5s2zARJsUFE3rmqIGGkcVOmmbrjimdDCchuLiZzYkWfQdr3V8rnuhLfIQ1BHzXr6gqO4sFl8k.m5mtvXQ9dSOhwSXVnyG2EWT4eWrxGZql70MY0Fpy1wKAgY3aHSiZaklje6Lj9f(Convert.FromBase64String(_53RCF9mhUBrvCmPAj5TC5IrB8Wk1wJsKLRV451JqEXGA[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: system log.0.dr, NiBWdfYOiIaHRwmXtmy4hNkuVvxSKA0B4tuuian5LH09.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{k04EwhChXRwU7O2Ldgq3fb7KYRVjsKBxfzljBEGa5hynwVuNPHEkaYQaXhX._4pe3ednqpLzXVahNLaEZfGzLO7lvkzJpu8df1Rj5OVx4FeZ1MoO9xBYteDG,k04EwhChXRwU7O2Ldgq3fb7KYRVjsKBxfzljBEGa5hynwVuNPHEkaYQaXhX.yQ0vxpEHT5Sl0FmDBKDIKzCOwVylwk6xg7imDBoyprrrkTNM9Ho09kdFyDR,k04EwhChXRwU7O2Ldgq3fb7KYRVjsKBxfzljBEGa5hynwVuNPHEkaYQaXhX.J3hNTMtUsYrVRJVCwUo6Hiv8bXgzJnXIEklBpKLeCfdCX8OvYbCdaZbKYU7,k04EwhChXRwU7O2Ldgq3fb7KYRVjsKBxfzljBEGa5hynwVuNPHEkaYQaXhX._02h3edyrA56Q90SHn3KnIPAwbMX7wFL484qkTLq6ZfrEys8gcKRwy4V2uUv,OdMR5s2zARJsUFE3rmqIGGkcVOmmbrjimdDCchuLiZzYkWfQdr3V8rnuhLfIQ1BHzXr6gqO4sFl8k._4dXl5GEhd0igI7a4ZBM2fNKMecztcsXtAdqUcaCRuE1cmRlrcdp5eh8rWmOxIf()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: system log.0.dr, NiBWdfYOiIaHRwmXtmy4hNkuVvxSKA0B4tuuian5LH09.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_53RCF9mhUBrvCmPAj5TC5IrB8Wk1wJsKLRV451JqEXGA[2],OdMR5s2zARJsUFE3rmqIGGkcVOmmbrjimdDCchuLiZzYkWfQdr3V8rnuhLfIQ1BHzXr6gqO4sFl8k.m5mtvXQ9dSOhwSXVnyG2EWT4eWrxGZql70MY0Fpy1wKAgY3aHSiZaklje6Lj9f(Convert.FromBase64String(_53RCF9mhUBrvCmPAj5TC5IrB8Wk1wJsKLRV451JqEXGA[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: L988Ph5sKX.exe, NiBWdfYOiIaHRwmXtmy4hNkuVvxSKA0B4tuuian5LH09.cs.Net Code: _36H9c8gBUWVrhwW2S3JVp7pB7MCSnNmssykxgOk3sxHN System.AppDomain.Load(byte[])
                    Source: L988Ph5sKX.exe, NiBWdfYOiIaHRwmXtmy4hNkuVvxSKA0B4tuuian5LH09.cs.Net Code: IPzSqExFFoyN0darTB1EWQ97Wdd1iXBMn0nxIMjByZQ1 System.AppDomain.Load(byte[])
                    Source: L988Ph5sKX.exe, NiBWdfYOiIaHRwmXtmy4hNkuVvxSKA0B4tuuian5LH09.cs.Net Code: IPzSqExFFoyN0darTB1EWQ97Wdd1iXBMn0nxIMjByZQ1
                    Source: system log.0.dr, NiBWdfYOiIaHRwmXtmy4hNkuVvxSKA0B4tuuian5LH09.cs.Net Code: _36H9c8gBUWVrhwW2S3JVp7pB7MCSnNmssykxgOk3sxHN System.AppDomain.Load(byte[])
                    Source: system log.0.dr, NiBWdfYOiIaHRwmXtmy4hNkuVvxSKA0B4tuuian5LH09.cs.Net Code: IPzSqExFFoyN0darTB1EWQ97Wdd1iXBMn0nxIMjByZQ1 System.AppDomain.Load(byte[])
                    Source: system log.0.dr, NiBWdfYOiIaHRwmXtmy4hNkuVvxSKA0B4tuuian5LH09.cs.Net Code: IPzSqExFFoyN0darTB1EWQ97Wdd1iXBMn0nxIMjByZQ1
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeCode function: 0_2_00007FFD348900BD pushad ; iretd 0_2_00007FFD348900C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3477D2A5 pushad ; iretd 2_2_00007FFD3477D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348900BD pushad ; iretd 2_2_00007FFD348900C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34962316 push 8B485F94h; iretd 2_2_00007FFD3496231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3477D2A5 pushad ; iretd 5_2_00007FFD3477D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348900BD pushad ; iretd 5_2_00007FFD348900C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348919DB pushad ; ret 5_2_00007FFD348919E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34962316 push 8B485F94h; iretd 5_2_00007FFD3496231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3478D2A5 pushad ; iretd 10_2_00007FFD3478D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD348A00BD pushad ; iretd 10_2_00007FFD348A00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34972316 push 8B485F93h; iretd 10_2_00007FFD3497231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3497640E push eax; iretd 10_2_00007FFD34976481
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD3476D2A5 pushad ; iretd 13_2_00007FFD3476D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD348800BD pushad ; iretd 13_2_00007FFD348800C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD34952316 push 8B485F95h; iretd 13_2_00007FFD3495231B
                    Source: C:\Users\user\AppData\Local\Temp\system logCode function: 17_2_00007FFD348B00BD pushad ; iretd 17_2_00007FFD348B00C1
                    Source: L988Ph5sKX.exe, k04EwhChXRwU7O2Ldgq3fb7KYRVjsKBxfzljBEGa5hynwVuNPHEkaYQaXhX.csHigh entropy of concatenated method names: 'gQXgzIXUVed9JNf9sTwKwmo68imEAnhrr84mi', 'KyuFuJTUW319v31WY49VKS5YNV2ooDEBHFflv', 'qeNFJXLmqbvhjbEiJQv6KrKYj7q5yXuiENWja', 'f6fxrWlFHGHidvPzy1OUZdqI0d9yky5vlsz2U'
                    Source: L988Ph5sKX.exe, 1SMz5lKTIh4isE8KytaGC94AKCcIrDLckPiK1zfV53wq0doac5uJizukasCPXg.csHigh entropy of concatenated method names: 'kmIKd7fDdU7B3MxPCm68w4WuAEyI5WkrjtGnDGovHrjfv0CrzPWOI9ztKWlUoU', 'FFARx9VLCvupieTN5o8mrPlaVGqwDuLN0E22ffURB5oi0PopsZX7eq20DmRyEI', 'j7fOlYn4jbA4m1TkfnIMb9bjcOS1UNvbB3pVdundkXEc10CvKG7Q1mR46yn7ls', 'VVt25IYJ4C1AQEwCzKe99C82X9SS9eC1JH7X1FoYwpl6gD52xehWg2', 'azxPR7FMBzhHLcts5e2Lq2PJssEBjx05wbv0xRMxotwiJiwQIhSuuc', 'rfI54pw5Euv5Cpx1BLOm4Z530PBCMDrAvyCNaI8vPUoBMjDtGgsG3H', '_9YgGogDbaX3cBtOKATHJbf5rS6yhedibVC16Z6TEYGtysWBcDV450p', '_4cKPdTuFc93UdDI18oip8bwap5jFDjc0LRwFeRPnVYKadDiuLXuw57', 'BsxGzxJpDD7uR9zg7QkLEzjRpEXcltAknzrgRFv1Yig2v7OJdUf0ES', '_0a1l3ffT8nZ1NseaWzRf7Xd2C9FPQ5sOTlkDQef7dQkj4SozKABz0d'
                    Source: L988Ph5sKX.exe, KS315KBEJQKYbu7epShSU0rr9C1.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'fp8CHSkgDpURSDo8XfSoptO5i2dcWjBETlLVQ', 'hwKMKG1jjjSg5bdyWWSWr3zVlHPD6NUVjkmk4', 'iB4ky4rnFy6rACWPvZads93CwRhAXdMY3TfGe', 'usGankrnotrZ0LcKUMavnIeezn4B5qxkDPbWI'
                    Source: L988Ph5sKX.exe, axTYxe8uniVoYbv3viDPGJaryQ6X5f1NfITxBjpXx75X.csHigh entropy of concatenated method names: 'Km5PotcpIqAErEfrgeSHLsPaXfe4WRFLqaBVOCgYc1pk', 'G0DFCbi2dycFPiUymDpPdK', 'DjRr28CreDWaTVJ2NUOY6J', 'Ob1LLJ7xaq1wbxVIVHRYH7', 'mis796vbtS2oPWHtQAO5ZH'
                    Source: L988Ph5sKX.exe, yLSIczQphzrs8l81g4f4mVaZzjMIk5gEctqYJumesfapQLgT4owaAQD8RVQuaJquOWWEM9zSeh0gM.csHigh entropy of concatenated method names: 'rjiCyqbWeBE3MVY9wYpk9lGB0KMqIKtzxbcW47A1q7Wg5a4pGK6YbDRRSFmqfryIvgciRUB3DkzDW', 'vvLMwN6jFYLthUhsVPypzj', 'OCMehs1GNkl12LaiytEQDn', 'k7iXvucfH6BmqwaCvKDl62', 'uaxYbvErXEhHioosRKo8gQ'
                    Source: L988Ph5sKX.exe, OdMR5s2zARJsUFE3rmqIGGkcVOmmbrjimdDCchuLiZzYkWfQdr3V8rnuhLfIQ1BHzXr6gqO4sFl8k.csHigh entropy of concatenated method names: 'Mm4bXPz6xUYYQ2dSaD1nUTOegFP0I2c9hfglWuNNWZFF6eKzZ9qz7BkZUV4KRV', 'n5w3FtPDWnvysCyPZ7bHaX2oTZhBBSYS6xpbucmrC1gWXsXMr0ZnrmqmKYLHeo', 'nOt7CnfYsjVQRgzM31IGVqR1K0XcxqXBYQiaaLxDiOaKDid8BGfb14edDWc3Mu', 'HN1i9frcBpGe1Zo6ZShvN6qNLXM7cYJvkQPO58i4v8rBAgYN2vj0Gil2qR5hTT', 'klbbuyuaKdnlTDtmBGdAoVeTCLj6fDF8f5fjKsjLS8DioaXppfpbPBAqAjnnZx', 'ljFF3Uhu49ZUsoWXtnecKrzgaintit19MUF3CxP7cw66SVdNFWOWh9O2svtvsc', 'Q7EcDCrBfv4WRB9iGzRD5MyTTMKwhh9u2pgXyb2xdk58b4t91UY9RbpiqntJoY', 'zv7eaTK5DLI2jPf3QtrO44TdiAL0m27a1J2sfiGvqmOoLywJsEOEZOA9TkZVlC', 'SKGG9snzPUBPV3YR3jlzWRylM5rNkD62oe6s45SfQMD2okp7lDShMkxVP1uIwt', '_7rYEdSimg5dD0eshZc0ucudppYZvMiz1i6HbsSK7Vk8Gw11fTjDlW7OIMtrI9I'
                    Source: L988Ph5sKX.exe, ZtdpowfpZvX238lYuRPFQDdUyhDNRsjirVJfbssJsH6hM43E7ZAJ1DTF068A1WIJUHy2LHqFMIAyI.csHigh entropy of concatenated method names: 'fwiI75sJWTZ3OEQZXtJjJkF3MqM6WdQhHtC0yC8IvMioqfDU97aMI9gWqiBQZCIsBe0lQzNesTYLf', 'yK6YfXYtQwIt3o7D7lInTnQXThLKVEj0FLXZ5c9YJTtuBFj2ySGnINxxZ45hpX7TpcSAD09zSR7cW', 'F0PByzfjwU1ZR31Gs6mG2NbIP6wYz7MWZzFxVeNdQyKufvLcHclame7yfcT0lWzog7hdF5hbOAgI9', 'PZCRwUdTwheXlWiYglyqCLm9JOuhmchnY5bwicnRZyMZSy78xEBV3aWpu9uAR1WOcvqLPuzHhax3w', 'aAObJEzQjV5AhM8t7kgSRD', 'rcazT6x0ctwKKQIzvhqAdt', 'V5HIyDeEPfO3ROMIGj4lxL', 'tVA0qgxaRNmaXirsj7vFk7', 'alkIZlGmITeRfv8fE3QnBh', 'ZQGFJXYX8D7hsbmsMWVAwU'
                    Source: L988Ph5sKX.exe, fIuoBvkfRhoFoc63hFISSwtOvfxlM4FJmtpkgoRS5nPx.csHigh entropy of concatenated method names: '_1AaD7rnihw6WOKI8xL5COA9iLj26DIsOWeAYYvs6R8Jm', 'wUVYPRQMW38tEZsGZD238i73zHzu2XDAaDBy2ZBjk4oX', 'vSbh0vOBV0eRMY9JMmrmBQAK8us4XWjYfMnZ1LwDBTbf', '_2mGGMrIgwsCaUHbf0wB1sLLLVocHvDpldMbCvyi6D53j', 'HTLmRCkcnTuPp8BtB5Xt4T7Q8Fcnx3MVWGIz1oQhTcLS', 'dLEuXZKLyhmRomZUIwgw66LBD4WNfMwSM5CZFGiPaQy1', 'W9iE5OhFUFuInPkVS4a1bdRPtviWZuXm1ivIfC6dWXTb', 'yck8lxDfZ4q1ox1LaXsOvqhWquHsu8PFAyjUCfHfDYMJ', 'SB6AnusWILwncpXthSetNpCROPPMHCK4sAaPOSayLOFz', 'Bu5TLmlNYZhnV0toZDx2phET2DdF4sv06dWiQRMlgMmZ'
                    Source: L988Ph5sKX.exe, ufFg5ZmduuvmAqmQKxu24IFWJPdKsq1AnisZ92Yc5Y54.csHigh entropy of concatenated method names: '_5rPQjasoZOFwbRquqfgmotyQtXEsUGfaoDhLFJn1vPDj', '_75tr00pDygj9thicN1pwLHCP1cIFhEhv3OY5khCTkfKZ', 'zcOBNUcwWzYpCdmac2YYixCM8xrzmhQqcTdgezHtG41s', 'kWKmKLbP64KaiW7vu7CkUxBYVHF06tBWsR5t6ik5NlHo5Pc7Ars5GAEZgZdnx03WV3KKDep4wsZ8I', 'rZVRfT743xdaiMdrU4K0BkDVFKvZkKf0jsUuyUVwABRGsZJYs1rMZZuiCG2KzPihqCEOyEOVN6X5k', 'RT2H2nAg7ke26uq4Ptts996YOHf0Unis5aq67Vp2vtVE51kRmn5kAd4qqaWVhJq6XRtfiuyfqHK3n', 'ShTLeeI7O8Kg2CKXs4mCwAS2Pi7eMSC8Wn4lbMckpOx43eskEIAKFrirIvAH7W00g9b7OVAfZupOz', '_1iDROlENMvYe7fc95NgTvAxMQFpRpwlEClQp4nwlf4QI5PBeS2M7Yn2CZkJtxCcLX3wttMKbPTApb', 'PxLLW1aHkNIcu0L5EMoHn3NrX4tA7euThpnorCq5V4seG7ca5tF3uIXdGAPp7ojdvsdcGkWKcKzN6', 'XB14R0FaVwadjsqNJ3LjVHzD3DrmmCAX1KeVHfGxsFPxXkc7WbBBqdSe0xopiqnVLnwtoS0rguYUk'
                    Source: L988Ph5sKX.exe, bj5RJocgNle1VYgW6tPR8dZQmKpSpYQwbbhcfGN6PETrghPSwZTZVYliPJ9.csHigh entropy of concatenated method names: 'SVPT2HY5g024hLb93kr5LyL8gtzkwpFnTCf0ltK8uIy3n5DzoK50gisO8Js', '_5liMMbYk75lIRJdfpFrsSKWusLxqzwx8hWQ4xpp34V6a31MnVyW6FPBdK3t', 'CHqoiVENrRO88BC2dJ2r9QTQ4IJBdtB0KXbQlnTOFThRdNkMYj4X1l1u9zj', 'HcjXZ1DbW1r1ncUhDtZBCO23AuwSzQKu5iYEc8OObhLp13agWBnHdO7yKey', 'zvbx2gOUNeGg1DI8z61ZNLlvQ80ekZsGDD1ioz2MwlhJX7RqqXFXiIJiUlX', '_2wv5JHQA16T8E8Lr7DQZ1pCR9gOo8JyPe6iJWb2X1L7cgschOLLAnxEGWDS', '_34xOKbiU3A3UpU0ltBk7iCu5FW03gwQ6X7RCh9qHNPm38qgfciZrwXzVMYK', 'AvAVcEi8ToOaiGxRonB6hzYO0LrkLkFI5GtPHFsiiFSMgnt4ORY2PaaYO7Z', 'g7hQFA691F7Ws8wuGrqPB866lhB4o4nk9kHDF1xGIP1c0yFOOYgo45YdjFZ', 'nLlW9CiigjsI7ILxpxCnxbAoxQTHv38A40HSXOouoAS3P8gYiaCTci9G1jz'
                    Source: L988Ph5sKX.exe, NiBWdfYOiIaHRwmXtmy4hNkuVvxSKA0B4tuuian5LH09.csHigh entropy of concatenated method names: '_56WpXa9N1PlNqUVjBQqzQRLdELbyQT4UboLNdoWHWHkn', '_36H9c8gBUWVrhwW2S3JVp7pB7MCSnNmssykxgOk3sxHN', 'v8h0AEK5olYYDiYE3REpJntKR72O9sWP73imZN7UbdzV', 'XCGvehrJqgdDbU88ZTveKpuek2Y82f8Fp6OtV6WlNBFq', 'Cv1kPXMXHmNnOr3FrUi9BV2VBkxA0zoC60gaHiGHBNgN', 'NHkqpZxtzC7pqEjUY9KDCkgWsNfwoqqpGXZzxfPHCxCI', 'Ed10gwAguc2bzVSeQC4LxQWZKRTHSJwkkyN11KZ12Pq8', 'TqrcYns2uw3gTaLLUXKtj8hUKJzPm4yILOo6okgVCO2Q', 'CJPSF0ZYleLj939XyfSSkFazI1O3KwFHeSViNQPhvpPb', '_8DRmldxr7Nrg9Icb9LqrwIbiVOJe9er3lrMjGJUp8m2V'
                    Source: system log.0.dr, k04EwhChXRwU7O2Ldgq3fb7KYRVjsKBxfzljBEGa5hynwVuNPHEkaYQaXhX.csHigh entropy of concatenated method names: 'gQXgzIXUVed9JNf9sTwKwmo68imEAnhrr84mi', 'KyuFuJTUW319v31WY49VKS5YNV2ooDEBHFflv', 'qeNFJXLmqbvhjbEiJQv6KrKYj7q5yXuiENWja', 'f6fxrWlFHGHidvPzy1OUZdqI0d9yky5vlsz2U'
                    Source: system log.0.dr, 1SMz5lKTIh4isE8KytaGC94AKCcIrDLckPiK1zfV53wq0doac5uJizukasCPXg.csHigh entropy of concatenated method names: 'kmIKd7fDdU7B3MxPCm68w4WuAEyI5WkrjtGnDGovHrjfv0CrzPWOI9ztKWlUoU', 'FFARx9VLCvupieTN5o8mrPlaVGqwDuLN0E22ffURB5oi0PopsZX7eq20DmRyEI', 'j7fOlYn4jbA4m1TkfnIMb9bjcOS1UNvbB3pVdundkXEc10CvKG7Q1mR46yn7ls', 'VVt25IYJ4C1AQEwCzKe99C82X9SS9eC1JH7X1FoYwpl6gD52xehWg2', 'azxPR7FMBzhHLcts5e2Lq2PJssEBjx05wbv0xRMxotwiJiwQIhSuuc', 'rfI54pw5Euv5Cpx1BLOm4Z530PBCMDrAvyCNaI8vPUoBMjDtGgsG3H', '_9YgGogDbaX3cBtOKATHJbf5rS6yhedibVC16Z6TEYGtysWBcDV450p', '_4cKPdTuFc93UdDI18oip8bwap5jFDjc0LRwFeRPnVYKadDiuLXuw57', 'BsxGzxJpDD7uR9zg7QkLEzjRpEXcltAknzrgRFv1Yig2v7OJdUf0ES', '_0a1l3ffT8nZ1NseaWzRf7Xd2C9FPQ5sOTlkDQef7dQkj4SozKABz0d'
                    Source: system log.0.dr, KS315KBEJQKYbu7epShSU0rr9C1.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'fp8CHSkgDpURSDo8XfSoptO5i2dcWjBETlLVQ', 'hwKMKG1jjjSg5bdyWWSWr3zVlHPD6NUVjkmk4', 'iB4ky4rnFy6rACWPvZads93CwRhAXdMY3TfGe', 'usGankrnotrZ0LcKUMavnIeezn4B5qxkDPbWI'
                    Source: system log.0.dr, axTYxe8uniVoYbv3viDPGJaryQ6X5f1NfITxBjpXx75X.csHigh entropy of concatenated method names: 'Km5PotcpIqAErEfrgeSHLsPaXfe4WRFLqaBVOCgYc1pk', 'G0DFCbi2dycFPiUymDpPdK', 'DjRr28CreDWaTVJ2NUOY6J', 'Ob1LLJ7xaq1wbxVIVHRYH7', 'mis796vbtS2oPWHtQAO5ZH'
                    Source: system log.0.dr, yLSIczQphzrs8l81g4f4mVaZzjMIk5gEctqYJumesfapQLgT4owaAQD8RVQuaJquOWWEM9zSeh0gM.csHigh entropy of concatenated method names: 'rjiCyqbWeBE3MVY9wYpk9lGB0KMqIKtzxbcW47A1q7Wg5a4pGK6YbDRRSFmqfryIvgciRUB3DkzDW', 'vvLMwN6jFYLthUhsVPypzj', 'OCMehs1GNkl12LaiytEQDn', 'k7iXvucfH6BmqwaCvKDl62', 'uaxYbvErXEhHioosRKo8gQ'
                    Source: system log.0.dr, OdMR5s2zARJsUFE3rmqIGGkcVOmmbrjimdDCchuLiZzYkWfQdr3V8rnuhLfIQ1BHzXr6gqO4sFl8k.csHigh entropy of concatenated method names: 'Mm4bXPz6xUYYQ2dSaD1nUTOegFP0I2c9hfglWuNNWZFF6eKzZ9qz7BkZUV4KRV', 'n5w3FtPDWnvysCyPZ7bHaX2oTZhBBSYS6xpbucmrC1gWXsXMr0ZnrmqmKYLHeo', 'nOt7CnfYsjVQRgzM31IGVqR1K0XcxqXBYQiaaLxDiOaKDid8BGfb14edDWc3Mu', 'HN1i9frcBpGe1Zo6ZShvN6qNLXM7cYJvkQPO58i4v8rBAgYN2vj0Gil2qR5hTT', 'klbbuyuaKdnlTDtmBGdAoVeTCLj6fDF8f5fjKsjLS8DioaXppfpbPBAqAjnnZx', 'ljFF3Uhu49ZUsoWXtnecKrzgaintit19MUF3CxP7cw66SVdNFWOWh9O2svtvsc', 'Q7EcDCrBfv4WRB9iGzRD5MyTTMKwhh9u2pgXyb2xdk58b4t91UY9RbpiqntJoY', 'zv7eaTK5DLI2jPf3QtrO44TdiAL0m27a1J2sfiGvqmOoLywJsEOEZOA9TkZVlC', 'SKGG9snzPUBPV3YR3jlzWRylM5rNkD62oe6s45SfQMD2okp7lDShMkxVP1uIwt', '_7rYEdSimg5dD0eshZc0ucudppYZvMiz1i6HbsSK7Vk8Gw11fTjDlW7OIMtrI9I'
                    Source: system log.0.dr, ZtdpowfpZvX238lYuRPFQDdUyhDNRsjirVJfbssJsH6hM43E7ZAJ1DTF068A1WIJUHy2LHqFMIAyI.csHigh entropy of concatenated method names: 'fwiI75sJWTZ3OEQZXtJjJkF3MqM6WdQhHtC0yC8IvMioqfDU97aMI9gWqiBQZCIsBe0lQzNesTYLf', 'yK6YfXYtQwIt3o7D7lInTnQXThLKVEj0FLXZ5c9YJTtuBFj2ySGnINxxZ45hpX7TpcSAD09zSR7cW', 'F0PByzfjwU1ZR31Gs6mG2NbIP6wYz7MWZzFxVeNdQyKufvLcHclame7yfcT0lWzog7hdF5hbOAgI9', 'PZCRwUdTwheXlWiYglyqCLm9JOuhmchnY5bwicnRZyMZSy78xEBV3aWpu9uAR1WOcvqLPuzHhax3w', 'aAObJEzQjV5AhM8t7kgSRD', 'rcazT6x0ctwKKQIzvhqAdt', 'V5HIyDeEPfO3ROMIGj4lxL', 'tVA0qgxaRNmaXirsj7vFk7', 'alkIZlGmITeRfv8fE3QnBh', 'ZQGFJXYX8D7hsbmsMWVAwU'
                    Source: system log.0.dr, fIuoBvkfRhoFoc63hFISSwtOvfxlM4FJmtpkgoRS5nPx.csHigh entropy of concatenated method names: '_1AaD7rnihw6WOKI8xL5COA9iLj26DIsOWeAYYvs6R8Jm', 'wUVYPRQMW38tEZsGZD238i73zHzu2XDAaDBy2ZBjk4oX', 'vSbh0vOBV0eRMY9JMmrmBQAK8us4XWjYfMnZ1LwDBTbf', '_2mGGMrIgwsCaUHbf0wB1sLLLVocHvDpldMbCvyi6D53j', 'HTLmRCkcnTuPp8BtB5Xt4T7Q8Fcnx3MVWGIz1oQhTcLS', 'dLEuXZKLyhmRomZUIwgw66LBD4WNfMwSM5CZFGiPaQy1', 'W9iE5OhFUFuInPkVS4a1bdRPtviWZuXm1ivIfC6dWXTb', 'yck8lxDfZ4q1ox1LaXsOvqhWquHsu8PFAyjUCfHfDYMJ', 'SB6AnusWILwncpXthSetNpCROPPMHCK4sAaPOSayLOFz', 'Bu5TLmlNYZhnV0toZDx2phET2DdF4sv06dWiQRMlgMmZ'
                    Source: system log.0.dr, ufFg5ZmduuvmAqmQKxu24IFWJPdKsq1AnisZ92Yc5Y54.csHigh entropy of concatenated method names: '_5rPQjasoZOFwbRquqfgmotyQtXEsUGfaoDhLFJn1vPDj', '_75tr00pDygj9thicN1pwLHCP1cIFhEhv3OY5khCTkfKZ', 'zcOBNUcwWzYpCdmac2YYixCM8xrzmhQqcTdgezHtG41s', 'kWKmKLbP64KaiW7vu7CkUxBYVHF06tBWsR5t6ik5NlHo5Pc7Ars5GAEZgZdnx03WV3KKDep4wsZ8I', 'rZVRfT743xdaiMdrU4K0BkDVFKvZkKf0jsUuyUVwABRGsZJYs1rMZZuiCG2KzPihqCEOyEOVN6X5k', 'RT2H2nAg7ke26uq4Ptts996YOHf0Unis5aq67Vp2vtVE51kRmn5kAd4qqaWVhJq6XRtfiuyfqHK3n', 'ShTLeeI7O8Kg2CKXs4mCwAS2Pi7eMSC8Wn4lbMckpOx43eskEIAKFrirIvAH7W00g9b7OVAfZupOz', '_1iDROlENMvYe7fc95NgTvAxMQFpRpwlEClQp4nwlf4QI5PBeS2M7Yn2CZkJtxCcLX3wttMKbPTApb', 'PxLLW1aHkNIcu0L5EMoHn3NrX4tA7euThpnorCq5V4seG7ca5tF3uIXdGAPp7ojdvsdcGkWKcKzN6', 'XB14R0FaVwadjsqNJ3LjVHzD3DrmmCAX1KeVHfGxsFPxXkc7WbBBqdSe0xopiqnVLnwtoS0rguYUk'
                    Source: system log.0.dr, bj5RJocgNle1VYgW6tPR8dZQmKpSpYQwbbhcfGN6PETrghPSwZTZVYliPJ9.csHigh entropy of concatenated method names: 'SVPT2HY5g024hLb93kr5LyL8gtzkwpFnTCf0ltK8uIy3n5DzoK50gisO8Js', '_5liMMbYk75lIRJdfpFrsSKWusLxqzwx8hWQ4xpp34V6a31MnVyW6FPBdK3t', 'CHqoiVENrRO88BC2dJ2r9QTQ4IJBdtB0KXbQlnTOFThRdNkMYj4X1l1u9zj', 'HcjXZ1DbW1r1ncUhDtZBCO23AuwSzQKu5iYEc8OObhLp13agWBnHdO7yKey', 'zvbx2gOUNeGg1DI8z61ZNLlvQ80ekZsGDD1ioz2MwlhJX7RqqXFXiIJiUlX', '_2wv5JHQA16T8E8Lr7DQZ1pCR9gOo8JyPe6iJWb2X1L7cgschOLLAnxEGWDS', '_34xOKbiU3A3UpU0ltBk7iCu5FW03gwQ6X7RCh9qHNPm38qgfciZrwXzVMYK', 'AvAVcEi8ToOaiGxRonB6hzYO0LrkLkFI5GtPHFsiiFSMgnt4ORY2PaaYO7Z', 'g7hQFA691F7Ws8wuGrqPB866lhB4o4nk9kHDF1xGIP1c0yFOOYgo45YdjFZ', 'nLlW9CiigjsI7ILxpxCnxbAoxQTHv38A40HSXOouoAS3P8gYiaCTci9G1jz'
                    Source: system log.0.dr, NiBWdfYOiIaHRwmXtmy4hNkuVvxSKA0B4tuuian5LH09.csHigh entropy of concatenated method names: '_56WpXa9N1PlNqUVjBQqzQRLdELbyQT4UboLNdoWHWHkn', '_36H9c8gBUWVrhwW2S3JVp7pB7MCSnNmssykxgOk3sxHN', 'v8h0AEK5olYYDiYE3REpJntKR72O9sWP73imZN7UbdzV', 'XCGvehrJqgdDbU88ZTveKpuek2Y82f8Fp6OtV6WlNBFq', 'Cv1kPXMXHmNnOr3FrUi9BV2VBkxA0zoC60gaHiGHBNgN', 'NHkqpZxtzC7pqEjUY9KDCkgWsNfwoqqpGXZzxfPHCxCI', 'Ed10gwAguc2bzVSeQC4LxQWZKRTHSJwkkyN11KZ12Pq8', 'TqrcYns2uw3gTaLLUXKtj8hUKJzPm4yILOo6okgVCO2Q', 'CJPSF0ZYleLj939XyfSSkFazI1O3KwFHeSViNQPhvpPb', '_8DRmldxr7Nrg9Icb9LqrwIbiVOJe9er3lrMjGJUp8m2V'
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeFile created: C:\Users\user\AppData\Local\Temp\system logJump to dropped file
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeFile created: C:\Users\user\AppData\Local\Temp\system logJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system log" /tr "C:\Users\user\AppData\Local\Temp\system log"
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system log.lnkJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system log.lnkJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run system logJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run system logJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: L988Ph5sKX.exe, 00000000.00000002.3352894957.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: L988Ph5sKX.exe, system log.0.drBinary or memory string: SBIEDLL.DLLK5KLQ53W9IQCIHCZPNKAOP7F0EOCVRWOGCRA6HKKAZGM7S4AHUHX8KJNAKHBJYGX6KFTHQ1JQQRYKPELON0JLBWQL402HRY1SP9OM48SYJKG34ZX32KZRVZJ9EYS3PN88NIV4SCGBW4LSPIIVVCAUBXAKZAB7GBF0S9PYRZPTJWJX0U0ZLW8UFP2XFK9WIKFMWLNOXDW1HRTIETSOHBBKZD1XMW0EUWTI9PIKRCKKWBA6EHMOG3YXIHVYXEPNWJE6JQXSTTCCJKRDO6YVQW91AQO3TDTYPPLU8QVHHEAPG5TBNHFK2SDOFXLDRWJWMQIGL68CCTUJDPHBBFMOZJJYTKESUWX6UAELVJIYSM4LLNE3ZELM6NHHAQFU5OGK1MTJ1APYLDXKFFVJ8XGKOCCT5RJS7ITVZEGTJKY65VENKQCIA1RPMLRLZLJVZK1KIQXMLWHU32LKOMY7GJ5RZHBNWNJOKFTKKR2QANTNKNBGLF8JRKE3S7HC3JRFR0Q6IYLFOEPWRXCY5T5MDG3FHRZINFO
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeMemory allocated: 1050000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeMemory allocated: 1AEF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\system logMemory allocated: 750000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\system logMemory allocated: 1A230000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\system logThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeWindow / User API: threadDelayed 9809Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6133Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3696Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7818Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1792Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8102Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1539Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6366
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3274
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exe TID: 616Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2740Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1976Thread sleep count: 7818 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1208Thread sleep count: 1792 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6792Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4032Thread sleep count: 6366 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6184Thread sleep count: 3274 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5644Thread sleep time: -6456360425798339s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\system log TID: 7072Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\svchost.exe TID: 3496Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\system logFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\system logThread delayed: delay time: 922337203685477
                    Source: system log.0.drBinary or memory string: vmware
                    Source: svchost.exe, 00000013.00000002.3349883512.0000018AE2E54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: svchost.exe, 00000013.00000002.3348009062.0000018ADD82B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                    Source: L988Ph5sKX.exe, 00000000.00000002.3360671398.000000001BE0F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeCode function: 0_2_00007FFD34897A81 CheckRemoteDebuggerPresent,0_2_00007FFD34897A81
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\system logProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe'
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log'
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe'
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'L988Ph5sKX.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log'Jump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system log'Jump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system log" /tr "C:\Users\user\AppData\Local\Temp\system log"Jump to behavior
                    Source: L988Ph5sKX.exe, 00000000.00000002.3352894957.0000000002F69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: L988Ph5sKX.exe, 00000000.00000002.3352894957.0000000002F69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: L988Ph5sKX.exe, 00000000.00000002.3352894957.0000000002F69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: L988Ph5sKX.exe, 00000000.00000002.3352894957.0000000002F69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                    Source: L988Ph5sKX.exe, 00000000.00000002.3352894957.0000000002F69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeQueries volume information: C:\Users\user\Desktop\L988Ph5sKX.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\system logQueries volume information: C:\Users\user\AppData\Local\Temp\system log VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: L988Ph5sKX.exe, 00000000.00000002.3360671398.000000001BE0F000.00000004.00000020.00020000.00000000.sdmp, L988Ph5sKX.exe, 00000000.00000002.3360671398.000000001BE9E000.00000004.00000020.00020000.00000000.sdmp, L988Ph5sKX.exe, 00000000.00000002.3347646364.00000000010EA000.00000004.00000020.00020000.00000000.sdmp, L988Ph5sKX.exe, 00000000.00000002.3347646364.000000000113C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\L988Ph5sKX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: L988Ph5sKX.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.L988Ph5sKX.exe.b10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2086421489.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3352894957.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: L988Ph5sKX.exe PID: 6520, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\system log, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: L988Ph5sKX.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.L988Ph5sKX.exe.b10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2086421489.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3352894957.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: L988Ph5sKX.exe PID: 6520, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\system log, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		12
                    Process Injection                    		21
                    Masquerading                    		OS Credential Dumping551
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory2
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell                    		1
                    DLL Side-Loading                    		21
                    Registry Run Keys / Startup Folder                    		161
                    Virtualization/Sandbox Evasion                    		Security Account Manager161
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		12
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSync33
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583092 Sample: L988Ph5sKX.exe Startdate: 01/01/2025 Architecture: WINDOWS Score: 100 40 ip-api.com 2->40 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 19 other signatures 2->54 8 L988Ph5sKX.exe 15 6 2->8         started        13 svchost.exe 2->13         started        15 system log 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 42 147.185.221.24, 49974, 49981, 49982 SALSGIVERUS United States 8->42 44 ip-api.com 208.95.112.1, 49699, 80 TUT-ASUS United States 8->44 38 C:\Users\user\AppData\Local\Temp\system log, PE32 8->38 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->58 60 Protects its processes via BreakOnTermination flag 8->60 62 Bypasses PowerShell execution policy 8->62 64 4 other signatures 8->64 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 46 127.0.0.1 unknown unknown 13->46 file6 signatures7 process8 signatures9 56 Loading BitLocker PowerShell Module 19->56 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    L988Ph5sKX.exe68%VirustotalBrowse
                    L988Ph5sKX.exe82%ReversingLabsWin32.Exploit.Xworm
                    L988Ph5sKX.exe100%AviraTR/Spy.Gen
                    L988Ph5sKX.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\system log100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Local\Temp\system log100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\system log82%ReversingLabsWin32.Exploit.Xworm

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.microsoft.co~0%Avira URL Cloudsafe
                    http://www.microsoft.cojj0%Avira URL Cloudsafe
                    http://www.microsoft.coj0%Avira URL Cloudsafe
                    147.185.221.240%Avira URL Cloudsafe
                    http://go.microsoft.ctain0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      147.185.221.24true
                      • Avira URL Cloud: safe
                      		unknown
                      http://ip-api.com/line/?fields=hostingfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2192164850.000001809006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2318244695.000002A3BE36F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2492215405.0000021C5D27F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2703011351.00000222B391E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.2554378115.00000222A3ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2172364854.0000018080229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2242788972.000002A3AE529000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2373077922.0000021C4D43A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2554378115.00000222A3ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.2554378115.00000222A3ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000002.00000002.2207161585.00000180EAA60000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.microsoft.copowershell.exe, 00000005.00000002.2339854356.000002A3C6966000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 0000000D.00000002.2703011351.00000222B391E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Iconpowershell.exe, 0000000D.00000002.2703011351.00000222B391E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000013.00000003.2891978247.0000018AE2C90000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.drfalse
                                          		high
                                          http://crl.ver)svchost.exe, 00000013.00000002.3349955530.0000018AE2E61000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.microsoft.co~powershell.exe, 0000000D.00000002.2735411383.00000222BBDD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.2554378115.00000222A3ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.mpowershell.exe, 0000000A.00000002.2515332922.0000021C65BA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://g.live.com/odclientsettings/Prod1C:qmgr.db.19.drfalse
                                                  		high
                                                  http://www.microsoft.cojpowershell.exe, 00000005.00000002.2341378075.000002A3C6ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2172364854.0000018080229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2242788972.000002A3AE529000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2373077922.0000021C4D43A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2554378115.00000222A3ADA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/powershell.exe, 0000000D.00000002.2703011351.00000222B391E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2192164850.000001809006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2318244695.000002A3BE36F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2492215405.0000021C5D27F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2703011351.00000222B391E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://go.microsoft.cpowershell.exe, 00000005.00000002.2240784619.000002A3AC819000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://go.microsoft.ctainpowershell.exe, 00000005.00000002.2240784619.000002A3AC819000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2172364854.0000018080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2242788972.000002A3AE301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2373077922.0000021C4D211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2554378115.00000222A38B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameL988Ph5sKX.exe, 00000000.00000002.3352894957.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2172364854.0000018080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2242788972.000002A3AE301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2373077922.0000021C4D211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2554378115.00000222A38B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.microsoft.cojjpowershell.exe, 00000005.00000002.2341378075.000002A3C6ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              208.95.112.1
                                                              		ip-api.comUnited States
                                                              		53334TUT-ASUSfalse
                                                              147.185.221.24
                                                              		unknownUnited States
                                                              		12087SALSGIVERUStrue

                                                              Private

                                                              IP
                                                              127.0.0.1

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1583092
                                                              Start date and time:2025-01-01 21:58:04 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 6m 35s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:21
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:L988Ph5sKX.exe
                                                              renamed because original name is a hash value
                                                              Original Sample Name:5c6f9ad1a92365495fc5bf4dae87dd8d01c98850ddbbeec9e2c458252a030fef.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@19/25@1/3
                                                              EGA Information:
                                                              • Successful, ratio: 16.7%
                                                              HCA Information:
                                                              • Successful, ratio: 99%
                                                              • Number of executed functions: 64
                                                              • Number of non-executed functions: 4
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                              • Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 20.109.210.53, 4.175.87.197
                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target powershell.exe, PID 3872 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 4948 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 6924 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 876 because it is empty
                                                              • Execution Graph export aborted for target system log, PID 6596 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              15:58:58API Interceptor59x Sleep call for process: powershell.exe modified
                                                              16:00:01API Interceptor116x Sleep call for process: L988Ph5sKX.exe modified
                                                              16:00:12API Interceptor2x Sleep call for process: OpenWith.exe modified
                                                              16:00:13API Interceptor2x Sleep call for process: svchost.exe modified
                                                              22:00:02Task SchedulerRun new task: system log path: C:\Users\user\AppData\Local\Temp\system s>log
                                                              22:00:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run system log C:\Users\user\AppData\Local\Temp\system log
                                                              22:00:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run system log C:\Users\user\AppData\Local\Temp\system log
                                                              22:00:19AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system log.lnk

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              208.95.112.1kj93GnZHBS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                              • ip-api.com/json
                                                              vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                              • ip-api.com/xml
                                                              Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                              • ip-api.com/json/?fields=225545
                                                              Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                              • ip-api.com/line/?fields=hosting
                                                              VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                              • ip-api.com/json/?fields=61439
                                                              SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                              • ip-api.com/json/
                                                              SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                              • ip-api.com/json/?fields=61439
                                                              147.185.221.24ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                                p59UXHJRX3.exeGet hashmaliciousXenoRATBrowse
                                                                  JdYlp3ChrS.exeGet hashmaliciousNjratBrowse
                                                                    Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                      test.exeGet hashmaliciousDarkCometBrowse
                                                                        L363rVr7oL.exeGet hashmaliciousNjratBrowse
                                                                          horrify's Modx Menu v1.exeGet hashmaliciousXWormBrowse
                                                                            fvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                                                                              8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                                                                                KJhsNv2RcI.exeGet hashmaliciousXWormBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  ip-api.comkj93GnZHBS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                  • 208.95.112.1
                                                                                  ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                                  • 208.95.112.1
                                                                                  Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                                  • 208.95.112.1
                                                                                  SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                  • 208.95.112.1

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  TUT-ASUSkj93GnZHBS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                  • 208.95.112.1
                                                                                  ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                                                  • 208.95.112.1
                                                                                  Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                                  • 208.95.112.1
                                                                                  VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                                  • 208.95.112.1
                                                                                  SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                                  • 208.95.112.1
                                                                                  SALSGIVERUSANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                                                  • 147.185.221.24
                                                                                  p59UXHJRX3.exeGet hashmaliciousXenoRATBrowse
                                                                                  • 147.185.221.24
                                                                                  JdYlp3ChrS.exeGet hashmaliciousNjratBrowse
                                                                                  • 147.185.221.24
                                                                                  Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                                  • 147.185.221.24
                                                                                  OneDrive.exeGet hashmaliciousQuasarBrowse
                                                                                  • 147.185.221.22
                                                                                  gReXLT7XjR.exeGet hashmaliciousNjratBrowse
                                                                                  • 147.185.221.18
                                                                                  _____.exeGet hashmaliciousDarkCometBrowse
                                                                                  • 147.185.221.23
                                                                                  test.exeGet hashmaliciousDarkCometBrowse
                                                                                  • 147.185.221.24
                                                                                  L363rVr7oL.exeGet hashmaliciousNjratBrowse
                                                                                  • 147.185.221.24
                                                                                  WO.exeGet hashmaliciousMetasploitBrowse
                                                                                  • 147.185.221.23

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):0.7262956065539588
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH09:9JZj5MiKNnNhoxuM
                                                                                  MD5:39AE52D1CD8659A9B35DAB18FF7765D0
                                                                                  SHA1:F78C306ADD065569E530B80EF6B381015B59F97A
                                                                                  SHA-256:771406AA89DBCF7E46D2829282D71E569A023C33AB52055402B3F5E67F83E628
                                                                                  SHA-512:6F82E2567122A968CD78FAF8C1F6E8858755C63EAE5FBD4534A8D99A0E7D73A217037EA1B46ABBE1AFD0B02982B9A9A36E9434B13D03AB95EBA558E9ADFDC840
                                                                                  Malicious:false
                                                                                  Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:Extensible storage user DataBase, version 0x620, checksum 0xc4c5eecf, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):0.7555074605865831
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:FSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:FazaSvGJzYj2UlmOlOL
                                                                                  MD5:840CCEA454B603DA4E591765609BFC76
                                                                                  SHA1:3BA289288768278F967D2816DA7DA8D8F4B3B72B
                                                                                  SHA-256:9B4D9ACE74A6F571C55B2BCE1751CAB16037149956F70ACC9AC65113D646ABDE
                                                                                  SHA-512:8C3A3EBF4E6716759AF58439251627757CA163F45BE12A0F4D64BAEB600F29107BA77C4785890A72AAEB8FDFC694B8C3D04462E3F6838AB2AF8DB548DB65CBD5
                                                                                  Malicious:false
                                                                                  Preview:....... .......7.......X\...;...{......................0.e......!...{?......}..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{..................................i.!......}.....................s.....}...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):16384
                                                                                  Entropy (8bit):0.07814890696590013
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:+W8YefGh3EcveuNaAPaU1lDqDhll/llolluxmO+l/SNxOf:2zfGh0BuNDPaU7qDhXAgmOH
                                                                                  MD5:F6C624A29DB6D4FBF475DCC9153E2287
                                                                                  SHA1:54D29FC886E16E8DB751400269B2C112C18A29CD
                                                                                  SHA-256:412C3CF6270E61DDCE4A1746B4F619459E1E71CEE25746EC5A319C862096646C
                                                                                  SHA-512:BB5877A915590FDFDC3CE8967894E637E01562813E724A91D9D8CC9A2C3D1F3B28E2C81C7C328C4CC4291924308AD250296FE679EFA0F5BFF3EBC661DD236456
                                                                                  Malicious:false
                                                                                  Preview:..qU.....................................;...{.......}...!...{?..........!...{?..!...{?..g...!...{?....................s.....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\system log.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\system log
                                                                                  File Type:CSV text
                                                                                  Category:dropped
                                                                                  Size (bytes):654
                                                                                  Entropy (8bit):5.380476433908377
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):0.34726597513537405
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Nlll:Nll
                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                  Malicious:false
                                                                                  Preview:@...e...........................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\L988Ph5sKX.exe
                                                                                  File Type:Generic INItialization configuration [WIN]
                                                                                  Category:dropped
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):3.6722687970803873
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                                                  MD5:DE63D53293EBACE29F3F54832D739D40
                                                                                  SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                                                  SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                                                  SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                                                  Malicious:false
                                                                                  Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0rq4ycc2.012.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_155lfh4f.5mr.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2sg2lguc.m2s.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c002uvap.k1k.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgk54uko.0fv.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hft3xzan.vgd.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hjd4x3sa.tha.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwa1irvp.g3r.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n5e22ccr.tao.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmxaozuk.vba.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_noh0fswo.g1o.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ompjzpi2.zff.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oox5e5v4.wna.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vm10zn3h.yc1.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w530a53s.ogn.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wd50cnep.q2y.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\system log

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\L988Ph5sKX.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):74240
                                                                                  Entropy (8bit):6.041904833243209
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:SVYiaPTgfWavwsP92pVXbzK+hTHAzJx0EX6E5UEO+zX9QC:SVYiYGvHkVXbzK+DoO+zt3
                                                                                  MD5:98219390B2A78D205EE6FD761B7F5F93
                                                                                  SHA1:4D616C0683DCF2EDFAC9ABA4BABB0D05287B0B1C
                                                                                  SHA-256:5C6F9AD1A92365495FC5BF4DAE87DD8D01C98850DDBBEEC9E2C458252A030FEF
                                                                                  SHA-512:1264AAD5D38BA99F0632F0ADF2717E94969C943626AD37183EEEC8904C6343C4DFE13312651527BBA895B45DBC8D0EC48052CC507A3ACB10930916A0447241DB
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\system log, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\system log, Author: Joe Security
                                                                                  • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\system log, Author: Sekoia.io
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\system log, Author: ditekSHen
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 82%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ug............................^7... ...@....@.. ....................................@..................................7..S....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B................@7......H........c..........&.....................................................(....*.r...p*. q...*..(....*.r...p*. *p{.*.s.........s.........s.........s.........*.r...p*. w...*.rX..p*. 6V=.*.r...p*. S...*.r...p*. ....*.r<..p*. ..8.*..((...*.rV..p*.r...p*. .p\.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. Q.O.*.rJ..p*. Gd..*.r...p*. E/..*.r...p*. .\=.*.r...p*. .x!.*.rz..p*. ...*.r...p*. .#

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system log.lnk

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\L988Ph5sKX.exe
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jan 1 20:00:00 2025, mtime=Wed Jan 1 20:00:00 2025, atime=Wed Jan 1 20:00:00 2025, length=74240, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):1048
                                                                                  Entropy (8bit):4.9679743404592545
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:8dOwDplXXXORBgKcqpLxuAAacG8MbSnQnBqygm:8dOwDpln+R2SrFc7yg
                                                                                  MD5:A880450D4D443A5797198ED9574BBB12
                                                                                  SHA1:3155FED7D2CEFD4D6EFEEB61E0512D0818B3A954
                                                                                  SHA-256:DACCD19EE1F1453746C85A601C64770DB7C3A187AD1F9CDF7EF9A36B47C3CE03
                                                                                  SHA-512:668CDFD0F3687EF24A81C0BBECAD65F7B0EC8FA2CEBEAE108331EF342C37E1DAF098721CD40BBF511B2DFBF685E26AE82D7503F183D71A67B3956F0B2C7031EF
                                                                                  Malicious:false
                                                                                  Preview:L..................F.... .....J..\....J..\....J..\..."........................:..DG..Yr?.D..U..k0.&...&.......$..S...e(..\..0{_..\......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2!ZY............................^.A.p.p.D.a.t.a...B.P.1.....!ZW...Local.<......EW<2!ZY.....[.........................L.o.c.a.l.....N.1.....!Zs...Temp..:......EW<2!Zs.....^.....................e.3.T.e.m.p.....^.2.."..!Z.. .SYSTEM~1..F......!Z..!Z......3........................s.y.s.t.e.m. .l.o.g.......^...............-.......]...........G.`......C:\Users\user\AppData\Local\Temp\system log..'.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.s.y.s.t.e.m. .l.o.g.............:...........|....I.J.H..K..:...`.......X.......618321...........hT..CrF.f4... .."qD.....-...-$..hT..CrF.f4... .."qD.....-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.

                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):55
                                                                                  Entropy (8bit):4.306461250274409
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                  Malicious:false
                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):6.041904833243209
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  File name:L988Ph5sKX.exe
                                                                                  File size:74'240 bytes
                                                                                  MD5:98219390b2a78d205ee6fd761b7f5f93
                                                                                  SHA1:4d616c0683dcf2edfac9aba4babb0d05287b0b1c
                                                                                  SHA256:5c6f9ad1a92365495fc5bf4dae87dd8d01c98850ddbbeec9e2c458252a030fef
                                                                                  SHA512:1264aad5d38ba99f0632f0adf2717e94969c943626ad37183eeec8904c6343c4dfe13312651527bba895b45dbc8d0ec48052cc507a3acb10930916a0447241db
                                                                                  SSDEEP:1536:SVYiaPTgfWavwsP92pVXbzK+hTHAzJx0EX6E5UEO+zX9QC:SVYiYGvHkVXbzK+DoO+zt3
                                                                                  TLSH:D0737C1C7BE94528E0FF9BB01DF17256CA39F7631903D25F68C501875723A88CE622E9
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ug............................^7... ...@....@.. ....................................@................................

                                                                                  File Icon

                                                                                  Icon Hash:00928e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x41375e
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x67758C8D [Wed Jan 1 18:42:21 2025 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x137080x53.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x4fe.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000x117640x11800e88d0c25236df8112f45e16f4db4fed4False0.6053152901785714data6.114884720377369IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x140000x4fe0x6005622cc7d05bf284bc5c2e1a038d77f93False0.3828125data3.8221077424534786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x160000xc0x20044c2b61102f2c750130756464b263a3eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_VERSION0x140a00x274data0.4554140127388535
                                                                                  RT_MANIFEST0x143140x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2025-01-01T22:00:13.863715+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649974147.185.221.2455161TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 1, 2025 21:58:56.989367962 CET4969980192.168.2.6208.95.112.1
                                                                                  Jan 1, 2025 21:58:56.994164944 CET8049699208.95.112.1192.168.2.6
                                                                                  Jan 1, 2025 21:58:56.994297981 CET4969980192.168.2.6208.95.112.1
                                                                                  Jan 1, 2025 21:58:56.995697975 CET4969980192.168.2.6208.95.112.1
                                                                                  Jan 1, 2025 21:58:57.000514984 CET8049699208.95.112.1192.168.2.6
                                                                                  Jan 1, 2025 21:58:57.521147013 CET8049699208.95.112.1192.168.2.6
                                                                                  Jan 1, 2025 21:58:57.568989038 CET4969980192.168.2.6208.95.112.1
                                                                                  Jan 1, 2025 21:59:42.409953117 CET8049699208.95.112.1192.168.2.6
                                                                                  Jan 1, 2025 21:59:42.410131931 CET4969980192.168.2.6208.95.112.1
                                                                                  Jan 1, 2025 22:00:01.692482948 CET4997455161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:01.697451115 CET5516149974147.185.221.24192.168.2.6
                                                                                  Jan 1, 2025 22:00:01.697527885 CET4997455161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:01.743441105 CET4997455161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:01.749062061 CET5516149974147.185.221.24192.168.2.6
                                                                                  Jan 1, 2025 22:00:13.863714933 CET4997455161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:13.870098114 CET5516149974147.185.221.24192.168.2.6
                                                                                  Jan 1, 2025 22:00:23.070328951 CET5516149974147.185.221.24192.168.2.6
                                                                                  Jan 1, 2025 22:00:23.072348118 CET4997455161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:27.085458040 CET4997455161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:27.087182045 CET4998155161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:27.090223074 CET5516149974147.185.221.24192.168.2.6
                                                                                  Jan 1, 2025 22:00:27.092044115 CET5516149981147.185.221.24192.168.2.6
                                                                                  Jan 1, 2025 22:00:27.092128038 CET4998155161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:27.149352074 CET4998155161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:27.154129028 CET5516149981147.185.221.24192.168.2.6
                                                                                  Jan 1, 2025 22:00:37.544465065 CET4969980192.168.2.6208.95.112.1
                                                                                  Jan 1, 2025 22:00:37.549489975 CET8049699208.95.112.1192.168.2.6
                                                                                  Jan 1, 2025 22:00:41.132184982 CET4998155161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:41.136993885 CET5516149981147.185.221.24192.168.2.6
                                                                                  Jan 1, 2025 22:00:48.458092928 CET5516149981147.185.221.24192.168.2.6
                                                                                  Jan 1, 2025 22:00:48.458153009 CET4998155161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:48.460213900 CET4998155161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:48.461848021 CET4998255161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:48.465008020 CET5516149981147.185.221.24192.168.2.6
                                                                                  Jan 1, 2025 22:00:48.466665030 CET5516149982147.185.221.24192.168.2.6
                                                                                  Jan 1, 2025 22:00:48.466744900 CET4998255161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:48.496833086 CET4998255161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:00:48.501665115 CET5516149982147.185.221.24192.168.2.6
                                                                                  Jan 1, 2025 22:01:01.616488934 CET4998255161192.168.2.6147.185.221.24
                                                                                  Jan 1, 2025 22:01:01.621417999 CET5516149982147.185.221.24192.168.2.6

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 1, 2025 21:58:56.976012945 CET5568053192.168.2.61.1.1.1
                                                                                  Jan 1, 2025 21:58:56.982786894 CET53556801.1.1.1192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Jan 1, 2025 21:58:56.976012945 CET192.168.2.61.1.1.10x8f8eStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Jan 1, 2025 21:58:56.982786894 CET1.1.1.1192.168.2.60x8f8eNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • ip-api.com

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.649699208.95.112.1806520C:\Users\user\Desktop\L988Ph5sKX.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 1, 2025 21:58:56.995697975 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                  Host: ip-api.com
                                                                                  Connection: Keep-Alive
                                                                                  Jan 1, 2025 21:58:57.521147013 CET175INHTTP/1.1 200 OK
                                                                                  Date: Wed, 01 Jan 2025 20:58:57 GMT
                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                  Content-Length: 6
                                                                                  Access-Control-Allow-Origin: *
                                                                                  X-Ttl: 60
                                                                                  X-Rl: 44
                                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                                  Data Ascii: false


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:15:58:52
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Users\user\Desktop\L988Ph5sKX.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\Desktop\L988Ph5sKX.exe"
                                                                                  Imagebase:0xb10000
                                                                                  File size:74'240 bytes
                                                                                  MD5 hash:98219390B2A78D205EE6FD761B7F5F93
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2086421489.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2086421489.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3352894957.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:15:58:57
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\L988Ph5sKX.exe'
                                                                                  Imagebase:0x7ff6e3d50000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:15:58:57
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:15:59:05
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'L988Ph5sKX.exe'
                                                                                  Imagebase:0x7ff6e3d50000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:15:59:05
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:15:59:19
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\system log'
                                                                                  Imagebase:0x7ff6e3d50000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:15:59:19
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:13
                                                                                  Start time:15:59:37
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system log'
                                                                                  Imagebase:0x7ff6e3d50000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:14
                                                                                  Start time:15:59:37
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:15
                                                                                  Start time:16:00:00
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system log" /tr "C:\Users\user\AppData\Local\Temp\system log"
                                                                                  Imagebase:0x7ff6ff2b0000
                                                                                  File size:235'008 bytes
                                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:16
                                                                                  Start time:16:00:00
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:17
                                                                                  Start time:16:00:02
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Users\user\AppData\Local\Temp\system log
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\system log"
                                                                                  Imagebase:0x10000
                                                                                  File size:74'240 bytes
                                                                                  MD5 hash:98219390B2A78D205EE6FD761B7F5F93
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\system log, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\system log, Author: Joe Security
                                                                                  • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\system log, Author: Sekoia.io
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\system log, Author: ditekSHen
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 82%, ReversingLabs
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:18
                                                                                  Start time:16:00:12
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\OpenWith.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                                                  Imagebase:0x7ff7b3ec0000
                                                                                  File size:123'984 bytes
                                                                                  MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:19
                                                                                  Start time:16:00:13
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                  Imagebase:0x7ff7403e0000
                                                                                  File size:55'320 bytes
                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:20
                                                                                  Start time:16:00:19
                                                                                  Start date:01/01/2025
                                                                                  Path:C:\Windows\System32\OpenWith.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                                                  Imagebase:0x7ff7b3ec0000
                                                                                  File size:123'984 bytes
                                                                                  MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:26%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:33.3%
                                                                                    Total number of Nodes:9
                                                                                    Total number of Limit Nodes:0

                                                                                    Executed Functions

                                                                                    Function 00007FFD34891719 Relevance: 1.9, Strings: 1, Instructions: 696COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3368470552.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34890000_L988Ph5sKX.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CAO_^
                                                                                    • API String ID: 0-3111533842
                                                                                    • Opcode ID: 8c532e5a2a856633569fe39c422537b9920b7bed0598333455703de9af703723
                                                                                    • Instruction ID: 23ede0ba8ddda5d1c85d8336166f6aa575b410b98ed04d430d9fa0aa1db12f49
                                                                                    • Opcode Fuzzy Hash: 8c532e5a2a856633569fe39c422537b9920b7bed0598333455703de9af703723
                                                                                    • Instruction Fuzzy Hash: BE22A361B1CE494FE7A8F76884B92B97BD2FF99300F840579E54ED32D2DE28AC418741
                                                                                    Function 00007FFD34897A81 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 202 7ffd34897a81-7ffd34897b3d CheckRemoteDebuggerPresent 206 7ffd34897b45-7ffd34897b88 202->206 207 7ffd34897b3f 202->207 207->206
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3368470552.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34890000_L988Ph5sKX.jbxd
                                                                                    Similarity
                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                    • String ID:
                                                                                    • API String ID: 3662101638-0
                                                                                    • Opcode ID: e7fa51b1642582e59971753a06d1e3ad816a98707ea4e728ba913b02aa43d315
                                                                                    • Instruction ID: 8e887941ea69a09927a0a14f924658a2d6873ab751e5ece9c9b2d67ed15a3119
                                                                                    • Opcode Fuzzy Hash: e7fa51b1642582e59971753a06d1e3ad816a98707ea4e728ba913b02aa43d315
                                                                                    • Instruction Fuzzy Hash: 7631253190875C8FCB58DF58C8867E97BE0FF65321F05416BD489D7282DB34A842CB91
                                                                                    Function 00007FFD3489108D Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 216 7ffd3489108d-7ffd348910d9 222 7ffd348910db-7ffd3489110d 216->222 223 7ffd3489110e-7ffd348911ce 216->223 222->223 235 7ffd348911d5-7ffd348911d6 223->235 236 7ffd348911d0 223->236 237 7ffd348911d8 235->237 238 7ffd348911dc-7ffd348911de 235->238 236->235 237->238 239 7ffd348911e0 238->239 240 7ffd348911e3-7ffd348911e6 238->240 239->240 241 7ffd348911e8 240->241 242 7ffd348911ea-7ffd348911ee 240->242 241->242 243 7ffd348911f0 242->243 244 7ffd348911f1-7ffd34891286 242->244 243->244
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3368470552.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34890000_L988Ph5sKX.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CAO_^
                                                                                    • API String ID: 0-3111533842
                                                                                    • Opcode ID: a5c99edf489797f129558196302a7aac0e9c554d78291ff0d30849fd32383d24
                                                                                    • Instruction ID: be3e5f991374e6b277b286af692f03a0ac5d272a6497f47176612db2b4245371
                                                                                    • Opcode Fuzzy Hash: a5c99edf489797f129558196302a7aac0e9c554d78291ff0d30849fd32383d24
                                                                                    • Instruction Fuzzy Hash: AA61F217B0C5A26BE221B3FD74B15EA6F24DF8233570C51B7D28C9E0939D28348A86E5
                                                                                    Function 00007FFD348960C6 Relevance: .5, Instructions: 474COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 495 7ffd348960c6-7ffd348960d3 496 7ffd348960d5-7ffd348960dd 495->496 497 7ffd348960de-7ffd348961a7 495->497 496->497 501 7ffd348961a9-7ffd348961b2 497->501 502 7ffd34896213 497->502 501->502 504 7ffd348961b4-7ffd348961c0 501->504 503 7ffd34896215-7ffd3489623a 502->503 510 7ffd348962a6 503->510 511 7ffd3489623c-7ffd34896245 503->511 505 7ffd348961f9-7ffd34896211 504->505 506 7ffd348961c2-7ffd348961d4 504->506 505->503 508 7ffd348961d6 506->508 509 7ffd348961d8-7ffd348961eb 506->509 508->509 509->509 512 7ffd348961ed-7ffd348961f5 509->512 514 7ffd348962a8-7ffd34896350 510->514 511->510 513 7ffd34896247-7ffd34896253 511->513 512->505 515 7ffd34896255-7ffd34896267 513->515 516 7ffd3489628c-7ffd348962a4 513->516 525 7ffd348963be 514->525 526 7ffd34896352-7ffd3489635c 514->526 517 7ffd34896269 515->517 518 7ffd3489626b-7ffd3489627e 515->518 516->514 517->518 518->518 520 7ffd34896280-7ffd34896288 518->520 520->516 528 7ffd348963c0-7ffd348963e9 525->528 526->525 527 7ffd3489635e-7ffd3489636b 526->527 529 7ffd3489636d-7ffd3489637f 527->529 530 7ffd348963a4-7ffd348963bc 527->530 535 7ffd348963eb-7ffd348963f6 528->535 536 7ffd34896453 528->536 531 7ffd34896381 529->531 532 7ffd34896383-7ffd34896396 529->532 530->528 531->532 532->532 534 7ffd34896398-7ffd348963a0 532->534 534->530 535->536 537 7ffd348963f8-7ffd34896406 535->537 538 7ffd34896455-7ffd348964e6 536->538 539 7ffd34896408-7ffd3489641a 537->539 540 7ffd3489643f-7ffd34896451 537->540 546 7ffd348964ec-7ffd348964fb 538->546 541 7ffd3489641c 539->541 542 7ffd3489641e-7ffd34896431 539->542 540->538 541->542 542->542 544 7ffd34896433-7ffd3489643b 542->544 544->540 547 7ffd348964fd 546->547 548 7ffd34896503-7ffd34896568 call 7ffd34896584 546->548 547->548 555 7ffd3489656a 548->555 556 7ffd3489656f-7ffd34896583 548->556 555->556
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3368470552.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34890000_L988Ph5sKX.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bc3fd153b2723f3724303a6317f25b8ac98dad615bb039d5b553b109bb0895a7
                                                                                    • Instruction ID: bd5c605aed3e0a8595d96d247ee634a6f561d81b9a9acddc6cba980699efa75d
                                                                                    • Opcode Fuzzy Hash: bc3fd153b2723f3724303a6317f25b8ac98dad615bb039d5b553b109bb0895a7
                                                                                    • Instruction Fuzzy Hash: 22F1A530A08A8D8FEBA8DF28C8557E93BD1FF55310F04426EE84DC7691CB78A9458B81
                                                                                    Function 00007FFD34896E72 Relevance: .5, Instructions: 460COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 557 7ffd34896e72-7ffd34896e7f 558 7ffd34896e8a-7ffd34896f57 557->558 559 7ffd34896e81-7ffd34896e89 557->559 563 7ffd34896f59-7ffd34896f62 558->563 564 7ffd34896fc3 558->564 559->558 563->564 565 7ffd34896f64-7ffd34896f70 563->565 566 7ffd34896fc5-7ffd34896fea 564->566 567 7ffd34896fa9-7ffd34896fc1 565->567 568 7ffd34896f72-7ffd34896f84 565->568 573 7ffd34897056 566->573 574 7ffd34896fec-7ffd34896ff5 566->574 567->566 569 7ffd34896f86 568->569 570 7ffd34896f88-7ffd34896f9b 568->570 569->570 570->570 572 7ffd34896f9d-7ffd34896fa5 570->572 572->567 575 7ffd34897058-7ffd3489707d 573->575 574->573 576 7ffd34896ff7-7ffd34897003 574->576 583 7ffd348970eb 575->583 584 7ffd3489707f-7ffd34897089 575->584 577 7ffd34897005-7ffd34897017 576->577 578 7ffd3489703c-7ffd34897054 576->578 580 7ffd34897019 577->580 581 7ffd3489701b-7ffd3489702e 577->581 578->575 580->581 581->581 582 7ffd34897030-7ffd34897038 581->582 582->578 586 7ffd348970ed-7ffd3489711b 583->586 584->583 585 7ffd3489708b-7ffd34897098 584->585 587 7ffd3489709a-7ffd348970ac 585->587 588 7ffd348970d1-7ffd348970e9 585->588 592 7ffd3489718b 586->592 593 7ffd3489711d-7ffd34897128 586->593 590 7ffd348970ae 587->590 591 7ffd348970b0-7ffd348970c3 587->591 588->586 590->591 591->591 594 7ffd348970c5-7ffd348970cd 591->594 596 7ffd3489718d-7ffd34897265 592->596 593->592 595 7ffd3489712a-7ffd34897138 593->595 594->588 597 7ffd3489713a-7ffd3489714c 595->597 598 7ffd34897171-7ffd34897189 595->598 606 7ffd3489726b-7ffd3489727a 596->606 599 7ffd3489714e 597->599 600 7ffd34897150-7ffd34897163 597->600 598->596 599->600 600->600 602 7ffd34897165-7ffd3489716d 600->602 602->598 607 7ffd3489727c 606->607 608 7ffd34897282-7ffd348972e4 call 7ffd34897300 606->608 607->608 615 7ffd348972e6 608->615 616 7ffd348972eb-7ffd348972ff 608->616 615->616
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3368470552.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34890000_L988Ph5sKX.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 12a75af30480d70130bc900bb6c01d07fcb67521de2b20d96b15ba4365caeb9c
                                                                                    • Instruction ID: 83303c0eab540a86b97a449eb5d8099ff410ec4d6c097495c70a055816cd423d
                                                                                    • Opcode Fuzzy Hash: 12a75af30480d70130bc900bb6c01d07fcb67521de2b20d96b15ba4365caeb9c
                                                                                    • Instruction Fuzzy Hash: 34E1C630A08A8E8FEB68DF68C8557E97BD1FF55310F04426EE84DC7291DF7899458B81
                                                                                    Function 00007FFD348920F1 Relevance: .2, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3368470552.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34890000_L988Ph5sKX.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 43f5ec2b01d254e8d089ad146d2856e2f74c7b32d5e07fd9c2e11da142463636
                                                                                    • Instruction ID: abbcd119b5ccd306ef802b8695bc2b69de5910705ffa44055b4d65f03ee2251c
                                                                                    • Opcode Fuzzy Hash: 43f5ec2b01d254e8d089ad146d2856e2f74c7b32d5e07fd9c2e11da142463636
                                                                                    • Instruction Fuzzy Hash: 45512F1075EAC50FE796A7B858B42B57FD5EF8722AB0804FBE08DC71A3DD586846C342
                                                                                    Function 00007FFD34898BF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3368470552.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34890000_L988Ph5sKX.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalProcess
                                                                                    • String ID: N_^
                                                                                    • API String ID: 2695349919-1619743201
                                                                                    • Opcode ID: 2ad87793d013ee66dfed5ef320a6460f50292cac909794ee27e81bb533b43771
                                                                                    • Instruction ID: 70da2db18aeedaf92ed2bf9bbef763ccb6bd197ebcac92c3f5849e68ad264b8c
                                                                                    • Opcode Fuzzy Hash: 2ad87793d013ee66dfed5ef320a6460f50292cac909794ee27e81bb533b43771
                                                                                    • Instruction Fuzzy Hash: 7531F57190CA488FDB28DF98D8557E9BBF4FF55311F04412EE08AD3692CB346846CB91
                                                                                    Function 00007FFD34899DA8 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 188 7ffd34899da8-7ffd34899daf 189 7ffd34899dba-7ffd34899e2d 188->189 190 7ffd34899db1-7ffd34899db9 188->190 194 7ffd34899eb9-7ffd34899ebd 189->194 195 7ffd34899e33-7ffd34899e40 189->195 190->189 196 7ffd34899e42-7ffd34899e7f SetWindowsHookExW 194->196 195->196 198 7ffd34899e87-7ffd34899eb8 196->198 199 7ffd34899e81 196->199 199->198
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3368470552.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34890000_L988Ph5sKX.jbxd
                                                                                    Similarity
                                                                                    • API ID: HookWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2559412058-0
                                                                                    • Opcode ID: 0f469f690c3103b84fbe63279e92eb38602039d5562e4417564d05d7ca7af6cf
                                                                                    • Instruction ID: 47811bc263cc46d36bb920df0d0519aa47f23c6e5e83640b6c0fa986e1a23f61
                                                                                    • Opcode Fuzzy Hash: 0f469f690c3103b84fbe63279e92eb38602039d5562e4417564d05d7ca7af6cf
                                                                                    • Instruction Fuzzy Hash: BF410A31A1CA5D4FDB18DB9C98566F9BBE1EB5A321F14423ED00DD3292CA75A8128BC1
                                                                                    Function 00007FFD348998A9 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 209 7ffd348998a9-7ffd34899960 RtlSetProcessIsCritical 213 7ffd34899968-7ffd3489999d 209->213 214 7ffd34899962 209->214 214->213
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.3368470552.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34890000_L988Ph5sKX.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2695349919-0
                                                                                    • Opcode ID: 46b921e57619a2aced4789159b3263d68d92e2363c64bc15234f7aba8040fefe
                                                                                    • Instruction ID: fcc34719a72c49178b029fa7aeff9a3d743ea67f38b39ffaa9b0d511dff577ae
                                                                                    • Opcode Fuzzy Hash: 46b921e57619a2aced4789159b3263d68d92e2363c64bc15234f7aba8040fefe
                                                                                    • Instruction Fuzzy Hash: 4331B03190CA588FDB28DF98D8557E9BBF0FF55311F14412EE08AD3682CB74A846CB91

                                                                                    Executed Functions

                                                                                    Function 00007FFD3489B3F8 Relevance: .4, Instructions: 367COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2209058698.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1bb2829f299a65dfd4b077618ef8592464dbc5d13a30430a444a4981bbc6b2d0
                                                                                    • Instruction ID: b62a5ec9120122ba37b093f54eca7888e10a3c756875e0155f8be1efad97b86d
                                                                                    • Opcode Fuzzy Hash: 1bb2829f299a65dfd4b077618ef8592464dbc5d13a30430a444a4981bbc6b2d0
                                                                                    • Instruction Fuzzy Hash: 0BB12470A1CB484FE759EB1CC8A56B5BBE1FB96310F10017ED08AC3292DA25F846CB41
                                                                                    Function 00007FFD34899758 Relevance: .1, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2209058698.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7a005e3a0f46ed5832157328dfecc769292dd1f163ec009233b2f09d730b555e
                                                                                    • Instruction ID: dcc9f9cc7c2539ca5da4a5464ee01bd3a0531d80214d0dbb54190c529ae7bf05
                                                                                    • Opcode Fuzzy Hash: 7a005e3a0f46ed5832157328dfecc769292dd1f163ec009233b2f09d730b555e
                                                                                    • Instruction Fuzzy Hash: EC31E471A1CF485FDB589F5C98466E9BBE0FBA9310F04422FE449D3352DA70A856CBC2
                                                                                    Function 00007FFD3477E380 Relevance: .1, Instructions: 125COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2208716768.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd3477d000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fd74499bfb4a28bb76d67cb3ecd2ea63d92d6577b04bf77ab603b7fbb3ded898
                                                                                    • Instruction ID: 1daceed2b07040ca1a9de1e5966d311621ba9f4ac731283e2885989597d97c5b
                                                                                    • Opcode Fuzzy Hash: fd74499bfb4a28bb76d67cb3ecd2ea63d92d6577b04bf77ab603b7fbb3ded898
                                                                                    • Instruction Fuzzy Hash: BA4112B180DBC48FE7568B2898959623FF0EF53314B1945EFD08CCB0A3D669B846C792
                                                                                    Function 00007FFD3496681E Relevance: .1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2209424403.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3c908d0d2ec891427e875d8798727988a2408cebfae80e98f2ecf0fb6c40b8ed
                                                                                    • Instruction ID: ef3218e3c8f4b2dcf80b2abc5ad4ce82fb61881e7ff8b7ed3b582f8956967342
                                                                                    • Opcode Fuzzy Hash: 3c908d0d2ec891427e875d8798727988a2408cebfae80e98f2ecf0fb6c40b8ed
                                                                                    • Instruction Fuzzy Hash: C911C232B0D6884FEB55DBA890A41B87B91EF5A220B1840BEC54DD7197DA2DAC45C361
                                                                                    Function 00007FFD348933B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2209058698.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                    • Instruction ID: ae605e7e7b896741c28386b595f310dc01aebb4b8afea9650844b96dbb4c98a5
                                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                    • Instruction Fuzzy Hash: A401A73020CB0C4FD744EF0CE451AA6B7E0FB89320F10052DE58AC3651DA36E882CB41
                                                                                    Function 00007FFD3496414D Relevance: .0, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2209424403.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9afa958706bb030f98eede39c13050e7563a7fdc081c684accea93bfd43e1344
                                                                                    • Instruction ID: 9ff7fcbefd8e85efb0311050dfa452f6859b59683f872879cff3cc3dd22c5bcb
                                                                                    • Opcode Fuzzy Hash: 9afa958706bb030f98eede39c13050e7563a7fdc081c684accea93bfd43e1344
                                                                                    • Instruction Fuzzy Hash: DEF0B432B0D5048FD768EB8CE4908E473E1EF6633071100BAE15DC71A7DA2AEC44CB55
                                                                                    Function 00007FFD34964400 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2209424403.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 49b93b9db7b8529a9a4825faaf431cad11d48bbf67496483340ab4ee11c8e81d
                                                                                    • Instruction ID: 9b4188f03bd1ca585422054a6dee0a6286144870f144206e780d91f8333733dd
                                                                                    • Opcode Fuzzy Hash: 49b93b9db7b8529a9a4825faaf431cad11d48bbf67496483340ab4ee11c8e81d
                                                                                    • Instruction Fuzzy Hash: C2F0BE32A0D5448FDB55EB8CE0918E873E0FF0633475100BAE64DC70A3DA2AAC44CB50
                                                                                    Function 00007FFD349641D1 Relevance: .0, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2209424403.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                    • Instruction ID: 58f1382bb6993b943f8ab3d8c690b4bd7c13bec444ad5981856bae3d5ed08961
                                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                    • Instruction Fuzzy Hash: A8E01A31B0C818CFDA68DA4CE090DE973E1EBA933171201BBD24EC7565CA2AEC519B94
                                                                                    Function 00007FFD3489344F Relevance: .0, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2209058698.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 76e180cd32ba0bcf1f6be49233331890ac067ae4e76c0de2f6b7b7d563682ae2
                                                                                    • Instruction ID: 778d96b6f15929155253e60a4152ebe7fc43096d462847ca5d815100d9162176
                                                                                    • Opcode Fuzzy Hash: 76e180cd32ba0bcf1f6be49233331890ac067ae4e76c0de2f6b7b7d563682ae2
                                                                                    • Instruction Fuzzy Hash: A1E0C27774CA160FF6684B1CB8970F437C0DB43230B40027AD686C54A2DA0B64938184
                                                                                    Function 00007FFD3489A2A9 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2209058698.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 129bf1de96d6e2d94f777540af071bc1f4e6c2803d89694aac019220d6f1bade
                                                                                    • Instruction ID: 9230649f85df9eb1c4814c6012690cd6f7d9dfb3dd0376231c3a4a5aa83fd3bf
                                                                                    • Opcode Fuzzy Hash: 129bf1de96d6e2d94f777540af071bc1f4e6c2803d89694aac019220d6f1bade
                                                                                    • Instruction Fuzzy Hash: 31E04634804A8C8F8F48EF18C8998E97FE0FF69301B01429BE81DC7520DB759A58CBC2

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD34898BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2209058698.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: N_^4$N_^7$N_^F$N_^J
                                                                                    • API String ID: 0-3508309026
                                                                                    • Opcode ID: f607a371003609e12bc7c0e996899bfb1495943777002b8d63460fc089abdc5b
                                                                                    • Instruction ID: 3b76da1c841fbdb11da6a3614379ab6690a2d8885d252c0cc13f4bf58231014a
                                                                                    • Opcode Fuzzy Hash: f607a371003609e12bc7c0e996899bfb1495943777002b8d63460fc089abdc5b
                                                                                    • Instruction Fuzzy Hash: D32101B7B084266FD3127BFCAD346DA3B54DB9433474902B2D298DB143E934708A8AC2

                                                                                    Executed Functions

                                                                                    Function 00007FFD3489A0E0 Relevance: .3, Instructions: 263COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2343889980.00007FFD34895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34895000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd34895000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 31c850875e8dd6443a66b70da45b8112dec0a54823b052993ed5b5a7c56df7f5
                                                                                    • Instruction ID: 9acc63bba7726e97d34885b05c28a2cb5cd9245a2651e35816cc5122628617cf
                                                                                    • Opcode Fuzzy Hash: 31c850875e8dd6443a66b70da45b8112dec0a54823b052993ed5b5a7c56df7f5
                                                                                    • Instruction Fuzzy Hash: 2A21902691EBC54FD7139B786C750D57FB0EF13214B0D00E7D589CB0A3E9185809C792
                                                                                    Function 00007FFD34899CF8 Relevance: .3, Instructions: 257COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2343889980.00007FFD34895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34895000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd34895000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e2a83fd0e6c1521cc9a895e94aebae5637ebf690034fc36971cbdd2ef90251a8
                                                                                    • Instruction ID: ec99621b6fbc06746113b8f4a81d20a131347a5e2867cc39e7589dd8b717c1bc
                                                                                    • Opcode Fuzzy Hash: e2a83fd0e6c1521cc9a895e94aebae5637ebf690034fc36971cbdd2ef90251a8
                                                                                    • Instruction Fuzzy Hash: D721D42190DBC54FDB039B384C691A9BFB0EF13250B0940EBD588CB1A7DA1D9899C793
                                                                                    Function 00007FFD34899750 Relevance: .1, Instructions: 143COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2343889980.00007FFD34895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34895000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd34895000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b647e12aa418522021314de83d470f0de41c102030bd2c53748a3e8f6da4f9c4
                                                                                    • Instruction ID: 3c703f6099b24b1401ea8e76a8a7dd9bec59efd4eb4a0717cb6f8636a7c6283b
                                                                                    • Opcode Fuzzy Hash: b647e12aa418522021314de83d470f0de41c102030bd2c53748a3e8f6da4f9c4
                                                                                    • Instruction Fuzzy Hash: C341183190DB885FDB19DF1C9C5A6A9BFE0FB56310F0441AFD489D3292CA64A816CBC2
                                                                                    Function 00007FFD3477EE20 Relevance: .1, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2342939564.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd3477d000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0165bb4f2eccf766bdb214bc5bee54e26f67b70098b733c84d4aaa6620c6b81c
                                                                                    • Instruction ID: 0ed2ad4552ae3fbf73b2f32664aee0c6ef71abfc5e44397b5cbde06d3ffb19ca
                                                                                    • Opcode Fuzzy Hash: 0165bb4f2eccf766bdb214bc5bee54e26f67b70098b733c84d4aaa6620c6b81c
                                                                                    • Instruction Fuzzy Hash: 4F41047180DBC48FE7568B389C959623FF0EF53320B1945EFD088CB1A3D669A845C792
                                                                                    Function 00007FFD3489A64C Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2343889980.00007FFD34895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34895000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd34895000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2b64ac487f17ca11ec31a9343b388fcaee1c58a88d396e523d44cfbd7ba92d9a
                                                                                    • Instruction ID: d9259b2901ea85456c3a1b0ec538a9165df8ff6078d28f7a77087b2a29a7ce27
                                                                                    • Opcode Fuzzy Hash: 2b64ac487f17ca11ec31a9343b388fcaee1c58a88d396e523d44cfbd7ba92d9a
                                                                                    • Instruction Fuzzy Hash: 5721263090CB8C8FDB59DBAC9C4A7E97FF0EB96321F04416BD048C3152DA74A846CB92
                                                                                    Function 00007FFD3496681E Relevance: .1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2344561747.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd34960000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8c5e312f22ac83296764d5e6d123dddbe835bbdcfb48766135c82db26ccd327b
                                                                                    • Instruction ID: 4bbe434122de7288327d1cbb5e30c84220634dd5894cfbad024e55a573596456
                                                                                    • Opcode Fuzzy Hash: 8c5e312f22ac83296764d5e6d123dddbe835bbdcfb48766135c82db26ccd327b
                                                                                    • Instruction Fuzzy Hash: B1110232B0D6884FEB51DBA890A41A87B91EF5A220B1841BEC54CC7197CA2DAC45C360
                                                                                    Function 00007FFD348933B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2343889980.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd34890000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                    • Instruction ID: ae605e7e7b896741c28386b595f310dc01aebb4b8afea9650844b96dbb4c98a5
                                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                    • Instruction Fuzzy Hash: A401A73020CB0C4FD744EF0CE451AA6B7E0FB89320F10052DE58AC3651DA36E882CB41
                                                                                    Function 00007FFD3496414D Relevance: .0, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2344561747.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd34960000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4d976be7ecd84227cfd668567ebc60e204fc16b834e2c5a2f370428feb728115
                                                                                    • Instruction ID: 3683f77658a75b0d39550da3831de4e926ed2d41d7b7a710d1b3ad668aefaa27
                                                                                    • Opcode Fuzzy Hash: 4d976be7ecd84227cfd668567ebc60e204fc16b834e2c5a2f370428feb728115
                                                                                    • Instruction Fuzzy Hash: C3F0BE32B0D5448FD768EB8CE4908E873E1EF6633071200BAE25DC71A7CA2AEC44CB55
                                                                                    Function 00007FFD34964400 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2344561747.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd34960000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 76ad1eab85b134a80f5b39e699557d2ed4442ff0b1bad10a3de6dcd493571b74
                                                                                    • Instruction ID: f037b4310718c9fa453c9537e5a549de79cdaeb14646b882af03b2b627063f64
                                                                                    • Opcode Fuzzy Hash: 76ad1eab85b134a80f5b39e699557d2ed4442ff0b1bad10a3de6dcd493571b74
                                                                                    • Instruction Fuzzy Hash: 44F0BE32A0D5448FDB55EB8CE0918E873E0FF0633474100BAE64DC70A3DA2AAC44CB50
                                                                                    Function 00007FFD349641D1 Relevance: .0, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2344561747.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd34960000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                    • Instruction ID: 58f1382bb6993b943f8ab3d8c690b4bd7c13bec444ad5981856bae3d5ed08961
                                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                    • Instruction Fuzzy Hash: A8E01A31B0C818CFDA68DA4CE090DE973E1EBA933171201BBD24EC7565CA2AEC519B94

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD34898BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2343889980.00007FFD34895000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34895000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd34895000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                                    • API String ID: 0-2388461625
                                                                                    • Opcode ID: 91912f156897b20dff8905db58406ab54e2ad0bc13978c37ecd8f09b7c7d2e71
                                                                                    • Instruction ID: 2eaac6df7339b602911387a99d3455c6d144505c115b379a1cd37fdca4f332d7
                                                                                    • Opcode Fuzzy Hash: 91912f156897b20dff8905db58406ab54e2ad0bc13978c37ecd8f09b7c7d2e71
                                                                                    • Instruction Fuzzy Hash: C521F273A085215AC31237FCBDB15D96B95DB5437834901F3E218DF113E978B48B8682

                                                                                    Executed Functions

                                                                                    Function 00007FFD348AA0D3 Relevance: .3, Instructions: 255COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2520819266.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6f0b851b99bb424f9b15e1933cd42831dfac813ae569efdf2c3f626d34584f03
                                                                                    • Instruction ID: 34a3fc966de4c991a36a5e0f7a9abb8525bafcb1fc639fea18677af071cb282b
                                                                                    • Opcode Fuzzy Hash: 6f0b851b99bb424f9b15e1933cd42831dfac813ae569efdf2c3f626d34584f03
                                                                                    • Instruction Fuzzy Hash: 4211933690E7C84FD7539B2898790E47FB0EE53210B0D01EBD589CB0A3DA595809D7A2
                                                                                    Function 00007FFD34974073 Relevance: .2, Instructions: 182COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2521675126.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8fb161d14a8805f248a6d253e4f9e37647df57c9572a2f670e5048e74f409865
                                                                                    • Instruction ID: b13ba766523dfad2dd25efedab244390323c4ecb0bd1943d56957598fd1c1afa
                                                                                    • Opcode Fuzzy Hash: 8fb161d14a8805f248a6d253e4f9e37647df57c9572a2f670e5048e74f409865
                                                                                    • Instruction Fuzzy Hash: 17516C33B0CA568FEB99EA1C58B15747BD2EFA6360B1841BED28DC7197DD28EC018351
                                                                                    Function 00007FFD348A9758 Relevance: .1, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2520819266.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e25ab774584d309a11a420799b268d0336082a777da45d3726d93581a114fac2
                                                                                    • Instruction ID: d356550a73fa4b6190492d0656a42c863cafa2a7cb25a8d6780348e0f3a0d19f
                                                                                    • Opcode Fuzzy Hash: e25ab774584d309a11a420799b268d0336082a777da45d3726d93581a114fac2
                                                                                    • Instruction Fuzzy Hash: FA310731A1CB4C4FDB589F5CA84A6E97BE1FB99310F00422FE449D3252DA70A856CBC2
                                                                                    Function 00007FFD349740BF Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2521675126.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 43228b6eb0f4f11bb31e16b29cbba36993d9bf38bc224da66ca61842c5f0b4ca
                                                                                    • Instruction ID: 0408c2aad3dc3ef37e41f1e2501a1992377dac9629a0c5ae24f5527baec8fb81
                                                                                    • Opcode Fuzzy Hash: 43228b6eb0f4f11bb31e16b29cbba36993d9bf38bc224da66ca61842c5f0b4ca
                                                                                    • Instruction Fuzzy Hash: 1221F723B0D9578FE7A5AB1C48F05706AD1EF66360B4980BED59DC71ABCD2CEC049351
                                                                                    Function 00007FFD348AA8A6 Relevance: .1, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2520819266.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 622fd0dc3e1096fbf1f79281f1f935e5b4412e4c528a628418dfad19b042aa66
                                                                                    • Instruction ID: eafa2dd46f7d1ed1c9a33df01a6bae4287a29510fe0434de31d8a19152a33c0c
                                                                                    • Opcode Fuzzy Hash: 622fd0dc3e1096fbf1f79281f1f935e5b4412e4c528a628418dfad19b042aa66
                                                                                    • Instruction Fuzzy Hash: 5D21F93190C64C4FDB59DF9CD84A7E97BF0EB96321F04816FD548C3152D674A40ACB91
                                                                                    Function 00007FFD3497681E Relevance: .1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2521675126.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ee17e491c5b83398a96fa3bc3b27e3f4080ad83ce6d938d8861887fc514bf997
                                                                                    • Instruction ID: d572c935018ca78ac443bf03fc43093168be4e059d26b9bb692247e696dc349c
                                                                                    • Opcode Fuzzy Hash: ee17e491c5b83398a96fa3bc3b27e3f4080ad83ce6d938d8861887fc514bf997
                                                                                    • Instruction Fuzzy Hash: 87110232B0D6884FEB61DB9894A41A87F91EF5A220B1881BEC54DC7197CA2D9C45C360
                                                                                    Function 00007FFD3478ECFF Relevance: .1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2519676537.00007FFD3478D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3478D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffd3478d000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                                    • Instruction ID: 4bec77997a29cef2edf8695822787d18e8d22f87aca38f5465a865906a10219c
                                                                                    • Opcode Fuzzy Hash: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                                    • Instruction Fuzzy Hash: 35014F3161CE088F9AA4EF2DE48695277E0FB98321710069AD41DC755AD735F891CBC1
                                                                                    Function 00007FFD348A33B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2520819266.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                    • Instruction ID: 0c5e5649d06d92c1145b5404b9a75156bb07d5da2bacdf6660bb961c601e6699
                                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                    • Instruction Fuzzy Hash: 5C01677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651DA36E882CB45
                                                                                    Function 00007FFD34974400 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2521675126.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 35fb257488db9874b567e3e059eafd5586106cd5808d3a94c9d7859f7c22006b
                                                                                    • Instruction ID: 2ae422f8bb092f18e6edb1c375b9fa63e7a0b55a7bd6ca60fad5119d50787705
                                                                                    • Opcode Fuzzy Hash: 35fb257488db9874b567e3e059eafd5586106cd5808d3a94c9d7859f7c22006b
                                                                                    • Instruction Fuzzy Hash: 61F0BE32A4D5448FDB54EB4CE8904A877E0FF0632474140FAE28DC70A3DA2AAC44DB50

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD348A8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000A.00000002.2520819266.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: M_^4$M_^7$M_^F$M_^J
                                                                                    • API String ID: 0-622050427
                                                                                    • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                                                                    • Instruction ID: 9c0c05f8c333faab2dea8e5433de44f93eadbb4ada4e22e1690e82e5527060d5
                                                                                    • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                                                                    • Instruction Fuzzy Hash: 9B21F2A7708465AED3127BFDA8249EA3754CF9433478917B2E198DB083F92870868AD0

                                                                                    Executed Functions

                                                                                    Function 00007FFD3476EB80 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2744134168.00007FFD3476D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3476D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_7ffd3476d000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: fLn^
                                                                                    • API String ID: 0-824457661
                                                                                    • Opcode ID: 28fcc51a713b25f2f01cd5a54e57d8d872101570a1f64cd3516b08fbce5cd1cb
                                                                                    • Instruction ID: 5a851cf2d70f0abcb406f6b4c27f0c83ec1455e545611253a2a5839a1227d5f2
                                                                                    • Opcode Fuzzy Hash: 28fcc51a713b25f2f01cd5a54e57d8d872101570a1f64cd3516b08fbce5cd1cb
                                                                                    • Instruction Fuzzy Hash: 7B41367180DBC48FE7568B2898959623FF0EF53220B0501DFD08DCB1A3D629B845C7A2
                                                                                    Function 00007FFD3488644D Relevance: .7, Instructions: 711COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2745523468.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_7ffd34880000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 166ab6df0c587c0d6918dab5b955f47a9d09e22b46d95cc6cee61e03d5dda475
                                                                                    • Instruction ID: 4b6c8ee161b0e99b96a848cbae45e186837eb350a137a158b5f81a2a2a685fd2
                                                                                    • Opcode Fuzzy Hash: 166ab6df0c587c0d6918dab5b955f47a9d09e22b46d95cc6cee61e03d5dda475
                                                                                    • Instruction Fuzzy Hash: 73D18131A18A4D8FDF95DF58C4A5AE97BE1FF69300F14416AD40DD72A6CB38E841CB81
                                                                                    Function 00007FFD34954073 Relevance: .2, Instructions: 182COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2746922074.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_7ffd34950000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c9efc0afebd0254ac4555b2978df61780a652c085bfc4460b1fb539e30608eca
                                                                                    • Instruction ID: 5ef4cbdc5f7bb67290aaac56b2d7196673be98c0af024c7d0786ab7f43c7ccca
                                                                                    • Opcode Fuzzy Hash: c9efc0afebd0254ac4555b2978df61780a652c085bfc4460b1fb539e30608eca
                                                                                    • Instruction Fuzzy Hash: B7515933B0CA468FEBD9AA2D54A167473D2EFA6220B2800FED24DC7197DD28EC058351
                                                                                    Function 00007FFD34889770 Relevance: .1, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2745523468.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_7ffd34880000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3734726b466bb5db69a8ee09d6f11ff455de90cdd01cc85b941b62538a93f49d
                                                                                    • Instruction ID: 24baf9ceee15234c5d0579c83718cb088c258cfbe92ad8ea92cff9d2fb0ec00f
                                                                                    • Opcode Fuzzy Hash: 3734726b466bb5db69a8ee09d6f11ff455de90cdd01cc85b941b62538a93f49d
                                                                                    • Instruction Fuzzy Hash: 3641283190CB884FDB589F5C9C466E97BE0FB9A310F04416FE449D3252CA74A806CBC2
                                                                                    Function 00007FFD3488A7EC Relevance: .1, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2745523468.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_7ffd34880000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d42bd170665717a54d8cd18dd76868210a818ff6321d0d4ae4dc9962c3655142
                                                                                    • Instruction ID: b3624a2ead4c14cfed0293a48b1df1400154f0fe2050b25601107b248aae0c56
                                                                                    • Opcode Fuzzy Hash: d42bd170665717a54d8cd18dd76868210a818ff6321d0d4ae4dc9962c3655142
                                                                                    • Instruction Fuzzy Hash: DE31283190CB8C4FEB59DB68984A6E97FE0EB57320F04416FC049C7192D668580ACB52
                                                                                    Function 00007FFD349540BF Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2746922074.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_7ffd34950000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a30ea46027f534feee3a8dbe96a61da3d21dbebad81536e50351da94a053acc0
                                                                                    • Instruction ID: f16e7c6e50f729c10d61db728e551c3b6bff4da0150dd60df37e3f8d239871ff
                                                                                    • Opcode Fuzzy Hash: a30ea46027f534feee3a8dbe96a61da3d21dbebad81536e50351da94a053acc0
                                                                                    • Instruction Fuzzy Hash: 5121E322B0DA568FE7E9AB1944A067062D2EF66310B6900FED60DC71ABCD2CEC049351
                                                                                    Function 00007FFD3495681E Relevance: .1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2746922074.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_7ffd34950000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5ac0f4193c5a3ce0e14d34c016e797cfd8849c0a5ac57c2629d3a8336efb0680
                                                                                    • Instruction ID: 264a927f58fb57413f97adffc0340433b1d83ead5fc089979a2f7092fe363c46
                                                                                    • Opcode Fuzzy Hash: 5ac0f4193c5a3ce0e14d34c016e797cfd8849c0a5ac57c2629d3a8336efb0680
                                                                                    • Instruction Fuzzy Hash: 75110232B0D6884FEB55DB9894A41A87BD1EF5A214B2841FEC64CC7197CA299C45C360
                                                                                    Function 00007FFD348833B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2745523468.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_7ffd34880000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                    • Instruction ID: 5fffc6dc26c3eb99b3910d994459d48da0474aba520a49b72d272c666e07c8f2
                                                                                    • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                    • Instruction Fuzzy Hash: B501677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651DA36E882CB45
                                                                                    Function 00007FFD34954400 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2746922074.00007FFD34950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34950000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_7ffd34950000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fa605e85fb9022335c5871ff9c78f5f89fbe50985f5eaf1c7ba08073b2a8859d
                                                                                    • Instruction ID: e4003d744c0873094c4620f8a46cc488cfcea292e21de783e0c53794f1baac07
                                                                                    • Opcode Fuzzy Hash: fa605e85fb9022335c5871ff9c78f5f89fbe50985f5eaf1c7ba08073b2a8859d
                                                                                    • Instruction Fuzzy Hash: ECF0BE32A4D5448FDB98EB4CE0905A873E0FF0632475100FAE24DCB0A3DA2AAC84CB50
                                                                                    Function 00007FFD3488A2C8 Relevance: .0, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2745523468.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_7ffd34880000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0b6f09a014ec6b52ee383cfe4e6642ef4190902fb817f2d780b70196df49cc59
                                                                                    • Instruction ID: ec4d6fd0549dc7ba4a20ed343b6600e62de416eb71867153274b20adbc979d14
                                                                                    • Opcode Fuzzy Hash: 0b6f09a014ec6b52ee383cfe4e6642ef4190902fb817f2d780b70196df49cc59
                                                                                    • Instruction Fuzzy Hash: 01E04F31814A4D8F8B45EF28D4198EA7BE0FF68205F4006ABE45DC3120DB319658CBC2

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD34888BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2745523468.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_7ffd34880000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: O_^8$O_^<$O_^?$O_^J$O_^K$O_^N$O_^Q$O_^Y
                                                                                    • API String ID: 0-3814653101
                                                                                    • Opcode ID: 049ef812df7fd761601f28dd96fc4d10cb6a864f10ec31d3fde299ba9228c6b6
                                                                                    • Instruction ID: 2b598698b943946a22ca278c034ef957221ecf276282d0589f3beff9c8fbb335
                                                                                    • Opcode Fuzzy Hash: 049ef812df7fd761601f28dd96fc4d10cb6a864f10ec31d3fde299ba9228c6b6
                                                                                    • Instruction Fuzzy Hash: 26212273A145115AC21236FCB8615D92794DF9437A34911F3E01DEF303E938B48B8680

                                                                                    Executed Functions

                                                                                    Function 00007FFD348B1719 Relevance: .7, Instructions: 696COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4641d1f050fdd43949b455975222791a37e628f188cb12750b52ba449c15a7ce
                                                                                    • Instruction ID: 8b550b87c32fbbc6b3a233491ab63f8d4fcfa9dd9229b3335a2a3fd15c724682
                                                                                    • Opcode Fuzzy Hash: 4641d1f050fdd43949b455975222791a37e628f188cb12750b52ba449c15a7ce
                                                                                    • Instruction Fuzzy Hash: 2522B461B1CA494FE7A8EB6884B92BD77D2FF9D340F440579E04EC72D7DD68A8018781
                                                                                    Function 00007FFD348B20F1 Relevance: .2, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e246ee57156eb1cd7a0f3a70d1ddb07691d747080e2f0eae787d726c1cc940ce
                                                                                    • Instruction ID: 2961b849a144b9da05f491fdc2196c3982698cfe143e5c78cfae1bbae6e67298
                                                                                    • Opcode Fuzzy Hash: e246ee57156eb1cd7a0f3a70d1ddb07691d747080e2f0eae787d726c1cc940ce
                                                                                    • Instruction Fuzzy Hash: AF51041075E6C50FE796A7B858B82B57FD5DF87219B0801FBE08DC7293DD985806C382
                                                                                    Function 00007FFD348B0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 9M_^
                                                                                    • API String ID: 0-1708477388
                                                                                    • Opcode ID: 57e60aa03bef372443a3805c922600ba919edeebb260e047cc84f46ee0b3e211
                                                                                    • Instruction ID: 6e4d0babf79dc904d947a20dae855b0f79013a645f4777171c1614d5bc7d6daf
                                                                                    • Opcode Fuzzy Hash: 57e60aa03bef372443a3805c922600ba919edeebb260e047cc84f46ee0b3e211
                                                                                    • Instruction Fuzzy Hash: 59612326B0952A9FE711BBFCA4711ED7BA1EF8A325B180676D00CD7283DD78748687D0
                                                                                    Function 00007FFD348B0E8E Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4M_^
                                                                                    • API String ID: 0-2545914641
                                                                                    • Opcode ID: 5f0d34e8819e99d11ab22332df139db828facbefbca3ee0f9d2f71fdc92f7d24
                                                                                    • Instruction ID: fdf2c1486ded6ebadfc7642ce5b6efaf96480cdd30a361698a0d4eee7d6849dc
                                                                                    • Opcode Fuzzy Hash: 5f0d34e8819e99d11ab22332df139db828facbefbca3ee0f9d2f71fdc92f7d24
                                                                                    • Instruction Fuzzy Hash: AA510621B0D6860FE3A6A7BC58652B97BE5DF87321B0941FBD48CC72D3DD5C58428392
                                                                                    Function 00007FFD348B1295 Relevance: .9, Instructions: 860COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: be885f77016948739b67214172bb8cd7425c909197275fa52c7d4f625d7b6b07
                                                                                    • Instruction ID: b13da34f1d35132f99cc755cf1d35ed2898c19f6240f0a9b70293a00197fed94
                                                                                    • Opcode Fuzzy Hash: be885f77016948739b67214172bb8cd7425c909197275fa52c7d4f625d7b6b07
                                                                                    • Instruction Fuzzy Hash: 5C318623A0D69A4FE751A7BC98B50E97BB1EF43354B0902B7D185DF193ED6C68068780
                                                                                    Function 00007FFD348B0985 Relevance: .3, Instructions: 346COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 82e21ca72a95db78d3f7a651092bb6005d6f2b3802d2f987bff420d21a587b07
                                                                                    • Instruction ID: b8b3c7123d47a242d34f6a79a188fe6e2313a19c36212f247f7a5df6c776e628
                                                                                    • Opcode Fuzzy Hash: 82e21ca72a95db78d3f7a651092bb6005d6f2b3802d2f987bff420d21a587b07
                                                                                    • Instruction Fuzzy Hash: B5A11626B0956A9FD711BBBCB8611EE7BA1EF86331B0842B7D148DB183DD78604687D0
                                                                                    Function 00007FFD348B09D3 Relevance: .3, Instructions: 320COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6ee73c51bcc3bd3dd54f70660b7c46c008ce36f7eee5b767e5373678ab65d20b
                                                                                    • Instruction ID: b07cb086ab8e28048e076de3efe942368392e2453ae7f9e9326a8e4915e0f8df
                                                                                    • Opcode Fuzzy Hash: 6ee73c51bcc3bd3dd54f70660b7c46c008ce36f7eee5b767e5373678ab65d20b
                                                                                    • Instruction Fuzzy Hash: B8911626B0992E9BD710BBBCB4651ED7BA5EF86332B0846B7D14CCB183DD78604687D0
                                                                                    Function 00007FFD348B0A08 Relevance: .3, Instructions: 305COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 57ad0df4f4bb8bedbcb5de9eb481e77c3c054f3d0e47e320494fed6f0dccd8a9
                                                                                    • Instruction ID: 9c35e65de89123524985df90341d83becfc560e88009661444745a126789fed0
                                                                                    • Opcode Fuzzy Hash: 57ad0df4f4bb8bedbcb5de9eb481e77c3c054f3d0e47e320494fed6f0dccd8a9
                                                                                    • Instruction Fuzzy Hash: 7A812626B0992A9BD710BBBCB4611EE7BA5EF8A321B084277D14CCB183CD74604687D0
                                                                                    Function 00007FFD348B0A10 Relevance: .3, Instructions: 301COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 515b86acba8ca8678e93d5f77a0b9a3faa05c3fb89a0e05b7b54f38b2a752686
                                                                                    • Instruction ID: e86580d3788f4a16014e109e9d6b8872fba500e4ad35303f173076f471221d93
                                                                                    • Opcode Fuzzy Hash: 515b86acba8ca8678e93d5f77a0b9a3faa05c3fb89a0e05b7b54f38b2a752686
                                                                                    • Instruction Fuzzy Hash: EB812626B0952A9FD710BBBCB4651EE7BA5EF86331B084277D14CDB183DD78604687D0
                                                                                    Function 00007FFD348B0A48 Relevance: .3, Instructions: 270COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 068091d448be8aa8a0d097ced9574f504756d9047a922e6e2c9fb2c534e017a9
                                                                                    • Instruction ID: 06c7d3bcaf16d6373842b1f5b8d4572e736895e9c15272a7bbe45aa3bfddcc2c
                                                                                    • Opcode Fuzzy Hash: 068091d448be8aa8a0d097ced9574f504756d9047a922e6e2c9fb2c534e017a9
                                                                                    • Instruction Fuzzy Hash: B8711526B0952A9FD710BBFCA4651EE7BA5EF8A321B1802B7D04CD7183DD74704687D0
                                                                                    Function 00007FFD348B0638 Relevance: .1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4f71fe334e855649b57338f740005290854ba4f2f126d04560826827386404bb
                                                                                    • Instruction ID: b960c346642ba3baf285e03f0a3adb09d81490be4f07a4e07b8e0762b5f92f33
                                                                                    • Opcode Fuzzy Hash: 4f71fe334e855649b57338f740005290854ba4f2f126d04560826827386404bb
                                                                                    • Instruction Fuzzy Hash: 7531A821B1D9490FF798EB6C9469779B7C6EB99315F0405BEE40DC3293DDA8AC418381
                                                                                    Function 00007FFD348B0D21 Relevance: .1, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: db8174789439a031d2f8be585f40733ca5e211603a88718382012a9a36463445
                                                                                    • Instruction ID: 54c9f73470034bfad49dad63b65569e9bd9a31dbb8f8056bebbacc74b7ab11d3
                                                                                    • Opcode Fuzzy Hash: db8174789439a031d2f8be585f40733ca5e211603a88718382012a9a36463445
                                                                                    • Instruction Fuzzy Hash: A731B451B1C9095FFB54BBEC587A3BD77D2EB99311F18027AE00DD32D2ED6868018391
                                                                                    Function 00007FFD348B0BD3 Relevance: .1, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dcb77fec3a8b2caf958684784d8e50bd979f568497427e6ea22415b79f94d65b
                                                                                    • Instruction ID: 28b09adae57662983423df58e5305c974d6a082b39f6fd97c675b08b890f658e
                                                                                    • Opcode Fuzzy Hash: dcb77fec3a8b2caf958684784d8e50bd979f568497427e6ea22415b79f94d65b
                                                                                    • Instruction Fuzzy Hash: 0D41B064B1CA4E4FEB51EBA888752ED7BE2FF8E301F540579D009D3297CE3868018780
                                                                                    Function 00007FFD348B0858 Relevance: .1, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d60d088667b1f5b8bc49cbe20dc0d5fbafab812f94fb5253f08441caf88941b8
                                                                                    • Instruction ID: d470f910c8c0768716d825c43195059966bf2a7db103af2fb4d2189ee947a713
                                                                                    • Opcode Fuzzy Hash: d60d088667b1f5b8bc49cbe20dc0d5fbafab812f94fb5253f08441caf88941b8
                                                                                    • Instruction Fuzzy Hash: 8731B0A5B4964A4FD352EBA894B90ED3F72AF8D301B8454A5D44DC738BDE386A008BC1
                                                                                    Function 00007FFD348B0870 Relevance: .1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c111f3bdfd783920f8286af631d3967d00213e9eb7643bcf0a9022eabc68a399
                                                                                    • Instruction ID: 802fc73bec7f095b367494bacef3614e8178d7d157859656cac9c01a86322c3c
                                                                                    • Opcode Fuzzy Hash: c111f3bdfd783920f8286af631d3967d00213e9eb7643bcf0a9022eabc68a399
                                                                                    • Instruction Fuzzy Hash: DC219EA5759A494FD352EBA884B94ED7F72BF8D301B8454A5D40DC338FCE386A008BC1
                                                                                    Function 00007FFD348B22C1 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2826966251.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd348b0000_system log.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 81d75cf97c1d88f24cc3e9bf6556815a9ecb2984d7de41e3b770804a2065ae3b
                                                                                    • Instruction ID: cda73dcb491aac863920b5fe955b0b6fed6afd1b97e78d60746f1e4eea4facb4
                                                                                    • Opcode Fuzzy Hash: 81d75cf97c1d88f24cc3e9bf6556815a9ecb2984d7de41e3b770804a2065ae3b
                                                                                    • Instruction Fuzzy Hash: EC014954A0CBC50FE792A73C18B94757FE1DF9A241B0808AAE88CC71A7DC4C698493C2